830554939b
Previously, certmonger tried to reload haproxy every time after a
certificate is requested. This is useful for certificate resubmits or
renewals. However, it turned out problematic on installation, when
haproxy is not yet active, as it would try many times and end up having
a race-condition with puppet.
This checks if haproxy is active and only then will it attempt to reload
it.
Closes-Bug: #1712377
Change-Id: I4edd42b888a0bbbb8eb0e71f5c17750bac46c2ce
(cherry picked from commit fe25c53fe9)
30 lines
862 B
Bash
30 lines
862 B
Bash
#!/bin/bash
|
|
CERT_FILE="$1"
|
|
KEY_FILE="$2"
|
|
OUTPUT_FILE="$3"
|
|
REQUEST_NICKNAME="$4"
|
|
|
|
if [[ -z "$CERT_FILE" || -z "$KEY_FILE" || -z "$OUTPUT_FILE" ]]; then
|
|
echo "You need to provide CERT_FILE KEY_FILE and finally OUTPUT_FILE" \
|
|
"as arguments in that order."
|
|
exit 1
|
|
fi
|
|
if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then
|
|
echo "Certificate and key files must exist!"
|
|
exit 1
|
|
fi
|
|
if [ -z "$REQUEST_NICKNAME" ]; then
|
|
echo "Request nickname must be specified in arguments."
|
|
exit 1
|
|
fi
|
|
|
|
# add additional EKUs so clients that rely strictly on RFC5280 understand that
|
|
# they are allowed to accept the certificate as having valid extensions
|
|
getcert resubmit -i "$REQUEST_NICKNAME" -w -v -U id-kp-clientAuth \
|
|
-U id-kp-serverAuth
|
|
|
|
cat $CERT_FILE $KEY_FILE > $OUTPUT_FILE
|
|
if systemctl -q is-active haproxy; then
|
|
systemctl reload haproxy
|
|
fi
|