From 1195355b436dd497fd7318e7bb1e2d111a938256 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Thu, 30 Sep 2021 17:47:49 +0300 Subject: [PATCH] Fix haproxy Let's Encrypt SSL path With releasing PKI role we broke Let's Encrypt option because of changing directories where certs should be located and not reflecting these changes for let's encrypt. At the same time we should not generate self-signed cert when let's encrypt path is used. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742 Closes-Bug: #1938961 Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab --- tasks/haproxy_ssl_letsencrypt.yml | 10 ++++++---- templates/letsencrypt_renew_certbot_auto.j2 | 6 ++++-- templates/letsencrypt_renew_certbot_distro.j2 | 6 ++++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml index 205042b..67ca48c 100644 --- a/tasks/haproxy_ssl_letsencrypt.yml +++ b/tasks/haproxy_ssl_letsencrypt.yml @@ -75,14 +75,14 @@ --text --rsa-key-size 4096 --email {{ haproxy_ssl_letsencrypt_email }} - --domains {{ external_lb_vip_address }} + --domains {{ haproxy_bind_external_lb_vip_address }} {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %} --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }} {% endif %} {{ haproxy_ssl_letsencrypt_setup_extra_params }} args: - creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem" + creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem" - name: Create certbot pre hook template: @@ -102,8 +102,10 @@ - name: Create new pem file for haproxy assemble: - src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}" - dest: "/etc/ssl/private/haproxy.pem" + src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}" + dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}" regexp: '(privkey|fullchain).pem$' + with_items: + - "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}" notify: - Reload haproxy diff --git a/templates/letsencrypt_renew_certbot_auto.j2 b/templates/letsencrypt_renew_certbot_auto.j2 index 44ad603..61293f0 100644 --- a/templates/letsencrypt_renew_certbot_auto.j2 +++ b/templates/letsencrypt_renew_certbot_auto.j2 @@ -5,7 +5,9 @@ --standalone \ --pre-hook "systemctl stop haproxy" \ -cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \ - > /etc/ssl/private/haproxy.pem +{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %} +cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \ + > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }} +{% endfor %} systemctl reload haproxy diff --git a/templates/letsencrypt_renew_certbot_distro.j2 b/templates/letsencrypt_renew_certbot_distro.j2 index 3f896f1..df5b2b9 100644 --- a/templates/letsencrypt_renew_certbot_distro.j2 +++ b/templates/letsencrypt_renew_certbot_distro.j2 @@ -1,7 +1,9 @@ #!/bin/bash # renew cert if required and copy to haproxy destination -cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \ - > /etc/ssl/private/haproxy.pem +{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %} +cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \ + > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }} +{% endfor %} systemctl reload haproxy