Fix haproxy Let's Encrypt SSL path

With releasing PKI role we broke Let's Encrypt option because of changing directories where certs should be located and not reflecting these changes for let's encrypt. At the same time we should not generate self-signed cert when let's encrypt path is used. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742 Closes-Bug: #1938961 Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab
2021-09-30 17:47:49 +03:00 · 2021-09-30 17:47:49 +03:00 · 1195355b43
parent 96087b0867
commit 1195355b43
3 changed files with 14 additions and 8 deletions
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -75,14 +75,14 @@
    --text
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
-    --domains {{ external_lb_vip_address }}
+    --domains {{ haproxy_bind_external_lb_vip_address }}
    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"

 - name: Create certbot pre hook
  template:
@ -102,8 +102,10 @@

 - name: Create new pem file for haproxy
  assemble:
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
-    dest: "/etc/ssl/private/haproxy.pem"
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
+    dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '.pem' }}"
    regexp: '(privkey|fullchain).pem$'
+  with_items:
+    - "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
  notify:
    - Reload haproxy
--- a/templates/letsencrypt_renew_certbot_auto.j2
+++ b/templates/letsencrypt_renew_certbot_auto.j2
@ -5,7 +5,9 @@
    --standalone \
    --pre-hook "systemctl stop haproxy" \

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy
--- a/templates/letsencrypt_renew_certbot_distro.j2
+++ b/templates/letsencrypt_renew_certbot_distro.j2
@ -1,7 +1,9 @@
 #!/bin/bash
 # renew cert if required and copy to haproxy destination

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy