Merge "Use a certbot pre-hook to ensure haproxy backend is up before renewal"

defaults/main.yml

@@ -82,6 +82,9 @@ haproxy_ssl_letsencrypt_enable: false
 haproxy_ssl_letsencrypt_install_method: "certbot-auto"
 haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
 haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"
+haproxy_ssl_letsencrypt_certbot_backend_port: 8888
+haproxy_ssl_letsencrypt_pre_hook_timeout: 5
+haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
 haproxy_ssl_letsencrypt_email: "example@example.com"
 haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
 haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"

tasks/haproxy_ssl_letsencrypt.yml

@@ -75,6 +75,13 @@
   args:
     creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
 
+- name: Create certbot pre hook
+  template:
+    src: letsencrypt_pre_hook_certbot_distro.j2
+    dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
+    mode: 0755
+  when: haproxy_ssl_letsencrypt_install_method == 'distro'
+
 - name: Create certbot post renewal hook
   template:
     src: letsencrypt_renew_certbot_distro.j2

templates/letsencrypt_pre_hook_certbot_distro.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+# swing load balancer over to this node by starting temporary http server for {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} seconds
+
+timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }}