Use a certbot pre-hook to ensure haproxy backend is up before renewal
We use the built in python3 http server to bring up a temporary backend on the node which wants to renew a certificate. The timeout set so that the haproxy health check has noticed the backend come up before certbot runs. There is otherwise a race condition between the haproxy healthcheck and the certbot challenge request arriving at the acme-challenge endpoint. Change-Id: I2f5f9457c43c68f2881bf9d44f43434ca7b43859
This commit is contained in:
Jonathan Rosser
4
templates/letsencrypt_pre_hook_certbot_distro.j2
Normal file
4
templates/letsencrypt_pre_hook_certbot_distro.j2
Normal file
@@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
# swing load balancer over to this node by starting temporary http server for {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} seconds
|
||||
|
||||
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
|
||||
Reference in New Issue
Block a user