Fix haproxy Let's Encrypt SSL path
With releasing PKI role we broke Let's Encrypt option because of changing directories where certs should be located and not reflecting these changes for let's encrypt. At the same time we should not generate self-signed cert when let's encrypt path is used. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742 Closes-Bug: #1938961 Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab
This commit is contained in:
parent
96087b0867
commit
1195355b43
|
@ -75,14 +75,14 @@
|
|||
--text
|
||||
--rsa-key-size 4096
|
||||
--email {{ haproxy_ssl_letsencrypt_email }}
|
||||
--domains {{ external_lb_vip_address }}
|
||||
--domains {{ haproxy_bind_external_lb_vip_address }}
|
||||
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
||||
--http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
||||
--http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
|
||||
{% endif %}
|
||||
{{ haproxy_ssl_letsencrypt_setup_extra_params }}
|
||||
args:
|
||||
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
|
||||
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"
|
||||
|
||||
- name: Create certbot pre hook
|
||||
template:
|
||||
|
@ -102,8 +102,10 @@
|
|||
|
||||
- name: Create new pem file for haproxy
|
||||
assemble:
|
||||
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
|
||||
dest: "/etc/ssl/private/haproxy.pem"
|
||||
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
|
||||
dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
|
||||
regexp: '(privkey|fullchain).pem$'
|
||||
with_items:
|
||||
- "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
|
||||
notify:
|
||||
- Reload haproxy
|
||||
|
|
|
@ -5,7 +5,9 @@
|
|||
--standalone \
|
||||
--pre-hook "systemctl stop haproxy" \
|
||||
|
||||
cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
|
||||
> /etc/ssl/private/haproxy.pem
|
||||
{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
|
||||
cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
|
||||
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}
|
||||
{% endfor %}
|
||||
|
||||
systemctl reload haproxy
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
#!/bin/bash
|
||||
# renew cert if required and copy to haproxy destination
|
||||
|
||||
cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
|
||||
> /etc/ssl/private/haproxy.pem
|
||||
{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
|
||||
cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
|
||||
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}
|
||||
{% endfor %}
|
||||
|
||||
systemctl reload haproxy
|
||||
|
|
Loading…
Reference in New Issue