Use a certbot pre-hook to ensure haproxy backend is up before renewal

openstack/openstack-ansible-haproxy_server

Code Issues Proposed changes

We use the built in python3 http server to bring up a temporary backend
on the node which wants to renew a certificate. The timeout set so that
the haproxy health check has noticed the backend come up before certbot
runs.
There is otherwise a race condition between the haproxy healthcheck and
the certbot challenge request arriving at the acme-challenge endpoint.
Change-Id: I2f5f9457c43c68f2881bf9d44f43434ca7b43859

This commit is contained in:

Jonathan Rosser

2020年04月30日 06:58:41 +01:00

parent 28eb2c1d1d

commit dbc8fe1fe2

3 changed files with 14 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml

View File

@@ -82,6 +82,9 @@ haproxy_ssl_letsencrypt_enable: false

haproxy_ssl_letsencrypt_install_method:"certbot-auto"

haproxy_ssl_letsencrypt_certbot_auto_binary:"{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"

haproxy_ssl_letsencrypt_certbot_binary:"{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"

haproxy_ssl_letsencrypt_certbot_backend_port:8888

haproxy_ssl_letsencrypt_pre_hook_timeout:5

haproxy_ssl_letsencrypt_certbot_bind_address:"{{ ansible_host }}"

haproxy_ssl_letsencrypt_email:"example@example.com"

haproxy_ssl_letsencrypt_download_url:"https://dl.eff.org/certbot-auto"

haproxy_ssl_letsencrypt_venv:"/opt/eff.org/certbot/venv"

7
tasks/haproxy_ssl_letsencrypt.yml

View File

@@ -75,6 +75,13 @@

args:

creates:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"

- name:Create certbot pre hook

template:

src:letsencrypt_pre_hook_certbot_distro.j2

dest:/etc/letsencrypt/renewal-hooks/pre/haproxy-pre

mode:0755

when:haproxy_ssl_letsencrypt_install_method == 'distro'

- name:Create certbot post renewal hook

template:

src:letsencrypt_renew_certbot_distro.j2

4
templates/letsencrypt_pre_hook_certbot_distro.j2 Normal file

View File

@@ -0,0 +1,4 @@

#!/bin/bash

# swing load balancer over to this node by starting temporary http server for {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} seconds

timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }}