Fix haproxy Let's Encrypt SSL path

With releasing PKI role we broke Let's Encrypt option because of changing directories where certs should be located and not reflecting these changes for let's encrypt. At the same time we should not generate self-signed cert when let's encrypt path is used. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742 Closes-Bug: #1938961 Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab (cherry picked from commit 1195355b43)
2021-09-30 17:47:49 +03:00 · 2021-09-30 17:47:49 +03:00 · 00441b7108
commit 00441b7108
parent 4a04a03bf0
3 changed files with 14 additions and 8 deletions
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -75,14 +75,14 @@
    --text
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
-    --domains {{ external_lb_vip_address }}
+    --domains {{ haproxy_bind_external_lb_vip_address }}
    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"

 - name: Create certbot pre hook
  template:
@ -102,8 +102,10 @@

 - name: Create new pem file for haproxy
  assemble:
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
-    dest: "/etc/ssl/private/haproxy.pem"
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
+    dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '.pem' }}"
    regexp: '(privkey|fullchain).pem$'
+  with_items:
+    - "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
  notify:
    - Reload haproxy
--- a/templates/letsencrypt_renew_certbot_auto.j2
+++ b/templates/letsencrypt_renew_certbot_auto.j2
@ -5,7 +5,9 @@
    --standalone \
    --pre-hook "systemctl stop haproxy" \

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy
--- a/templates/letsencrypt_renew_certbot_distro.j2
+++ b/templates/letsencrypt_renew_certbot_distro.j2
@ -1,7 +1,9 @@
 #!/bin/bash
 # renew cert if required and copy to haproxy destination

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy