Install self-signed certificate before certbot has run for the first time
This patch changes the logic for generating a self signed certificate to also run when letsencrypt is being used. This temporary self signed cert is generated before haproxy is restarted with its full configuration, and before certbot has been run to generate the initial LE cert. This is necessary because haproxy will not start correctly if it is configured to use an ssl certificate but none is present. This would be the case with the previous code before certbot has run for the first time. This patch also removes the task which stops haproxy before running certbot. It is no longer necessary to do this as haproxy is able to start correctly using the initial self-signed cert. Change-Id: I6591243737b3a1bb369393439e1c44929f2f945b
This commit is contained in:
Jonathan Rosser
@@ -20,16 +20,11 @@
|
|||||||
tags:
|
tags:
|
||||||
- haproxy-ssl
|
- haproxy-ssl
|
||||||
|
|
||||||
|
#NOTE (jrosser) the self signed certificate is also needed for bootstrapping
|
||||||
|
#letsencrypt, as haproxy will not start with ssl config but a missing certificate
|
||||||
- include_tasks: haproxy_ssl_self_signed.yml
|
- include_tasks: haproxy_ssl_self_signed.yml
|
||||||
when:
|
when:
|
||||||
- haproxy_ssl | bool
|
- haproxy_ssl | bool
|
||||||
- not haproxy_ssl_letsencrypt_enable | bool
|
|
||||||
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
|
||||||
|
|
||||||
- include_tasks: haproxy_ssl_letsencrypt.yml
|
|
||||||
when:
|
|
||||||
- haproxy_ssl | bool
|
|
||||||
- haproxy_ssl_letsencrypt_enable | bool
|
|
||||||
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
||||||
|
|
||||||
- include_tasks: haproxy_ssl_user_provided.yml
|
- include_tasks: haproxy_ssl_user_provided.yml
|
||||||
|
|||||||
@@ -61,12 +61,6 @@
|
|||||||
state: present
|
state: present
|
||||||
when: haproxy_ssl_letsencrypt_install_method == 'distro'
|
when: haproxy_ssl_letsencrypt_install_method == 'distro'
|
||||||
|
|
||||||
- name: Stop haproxy for certbot activity
|
|
||||||
service:
|
|
||||||
name: "haproxy"
|
|
||||||
state: "stopped"
|
|
||||||
when: lcdatadir.stat.exists == False
|
|
||||||
|
|
||||||
- name: Create first time ssl cert with certbot
|
- name: Create first time ssl cert with certbot
|
||||||
command: >
|
command: >
|
||||||
{{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
|
{{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
|
||||||
|
|||||||
@@ -39,3 +39,12 @@
|
|||||||
- include_tasks: haproxy_post_install.yml
|
- include_tasks: haproxy_post_install.yml
|
||||||
tags:
|
tags:
|
||||||
- haproxy_server-config
|
- haproxy_server-config
|
||||||
|
|
||||||
|
# NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
- include_tasks: haproxy_ssl_letsencrypt.yml
|
||||||
|
when:
|
||||||
|
- haproxy_ssl | bool
|
||||||
|
- haproxy_ssl_letsencrypt_enable | bool
|
||||||
|
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
||||||
|
|||||||
Reference in New Issue
Block a user