Merge "Fix haproxy Let's Encrypt SSL path"

2021-10-15 11:21:44 +00:00 · 2021-10-15 11:21:44 +00:00 · 27efcbd7bd
parent a8593a876e 1195355b43
commit 27efcbd7bd
3 changed files with 14 additions and 8 deletions
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -75,14 +75,14 @@
    --text
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
-    --domains {{ external_lb_vip_address }}
+    --domains {{ haproxy_bind_external_lb_vip_address }}
    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"

 - name: Create certbot pre hook
  template:
@ -102,8 +102,10 @@

 - name: Create new pem file for haproxy
  assemble:
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
-    dest: "/etc/ssl/private/haproxy.pem"
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
+    dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '.pem' }}"
    regexp: '(privkey|fullchain).pem$'
+  with_items:
+    - "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
  notify:
    - Reload haproxy
--- a/templates/letsencrypt_renew_certbot_auto.j2
+++ b/templates/letsencrypt_renew_certbot_auto.j2
@ -5,7 +5,9 @@
    --standalone \
    --pre-hook "systemctl stop haproxy" \

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy
--- a/templates/letsencrypt_renew_certbot_distro.j2
+++ b/templates/letsencrypt_renew_certbot_distro.j2
@ -1,7 +1,9 @@
 #!/bin/bash
 # renew cert if required and copy to haproxy destination

-cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
-    > /etc/ssl/private/haproxy.pem
+{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
+cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
+{% endfor %}

 systemctl reload haproxy