Browse Source

Merge "Fix venv installation of Letsencrypt certbot"

Zuul 1 month ago
parent
commit
c06b4a09e9
3 changed files with 13 additions and 3 deletions
  1. 1
    0
      defaults/main.yml
  2. 11
    2
      tasks/haproxy_ssl_letsencrypt.yml
  3. 1
    1
      templates/letsencrypt_renew.j2

+ 1
- 0
defaults/main.yml View File

@@ -75,6 +75,7 @@ haproxy_ssl_bind_options: "force-tlsv12"
75 75
 haproxy_ssl_letsencrypt_enable: false
76 76
 haproxy_ssl_letsencrypt_email: "example@example.com"
77 77
 haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
78
+haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
78 79
 haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
79 80
 haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
80 81
 haproxy_ssl_letsencrypt_cron_minute: "0"

+ 11
- 2
tasks/haproxy_ssl_letsencrypt.yml View File

@@ -35,6 +35,14 @@
35 35
     path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
36 36
   register: lcdatadir
37 37
 
38
+- name: Install certbot
39
+  shell: >
40
+    PIP_INDEX_URL="https://pypi.org/simple/"
41
+    {{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
42
+    --install-only
43
+  args:
44
+    creates: "{{ haproxy_ssl_letsencrypt_venv }}"
45
+
38 46
 - name: Stop haproxy for certbot activity
39 47
   service:
40 48
     name: "haproxy"
@@ -51,11 +59,12 @@
51 59
     --rsa-key-size 4096
52 60
     --email {{ haproxy_ssl_letsencrypt_email }}
53 61
     --domains {{ external_lb_vip_address }}
54
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
62
+  args:
63
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001/fullchain.pem"
55 64
 
56 65
 - name: Create new pem file for haproxy
57 66
   assemble:
58
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
67
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001"
59 68
     dest: "/etc/ssl/private/haproxy.pem"
60 69
     regexp: '(privkey|fullchain).pem$'
61 70
   notify:

+ 1
- 1
templates/letsencrypt_renew.j2 View File

@@ -1,7 +1,7 @@
1 1
 #!/bin/bash
2 2
 # renew cert if required and copy to haproxy destination
3 3
 
4
-certbot renew \
4
+{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
5 5
     --standalone \
6 6
     --pre-hook "systemctl stop haproxy" \
7 7
 

Loading…
Cancel
Save