-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow certbot to update certs in HAProxy's config dir #33
Conversation
The original patch only updated the certs in memory, so restarting HAProxy would load the old certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this interact with haproxy's startup behavior if a cert is present in say site-config or /etc/kolla/haproxy?
Will haproxy load the "static one", then a letsenrypt renewal will overwrite it?
Can we make haproxy load the one from the letsencrypt volume on startup, if present, and remove the race?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we want to avoid writing to the kolla config dir, it is populated from the templates during genconfig
and deploy
can we write the assembled cert into the lettsencrypt volume instead, and have haproxy load it if present? (as was done previously)
@@ -53,4 +53,5 @@ letsencrypt_certbot_default_volumes: | |||
- "letsencrypt_acme_webroot:/www/data" | |||
- "kolla_logs:/var/log/kolla/" | |||
- "haproxy_socket:/var/lib/kolla/haproxy" | |||
- "/etc/kolla/haproxy:/etc/kolla/haproxy" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a couple issues:
- this path is hardcoded here, but templated in kolla
- contents of this dir will get overwritten by kolla-ansible runs if a cert is present in site-config
@@ -7,7 +7,9 @@ for domain in {{ letsencrypt_domains | join(' ') }}; do | |||
cert_path="/etc/haproxy/certs.d/haproxy.pem" | |||
# Get the full text of the certificate, deleting any blank lines (OpenSSL doesn't like those) | |||
full_cert=$(cat $le_base/$domain/fullchain.pem $le_base/$domain/privkey.pem | sed '/^[[:blank:]]*$/ d') | |||
# Start a transaction to update the certificate | |||
# Copy the cert to haproxy's config dir | |||
echo $full_cert | tee $cert_path /etc/haproxy/haproxy.pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same issue as above, this writes into a config dir, but will get overwritten when cc-ansible runs.
Having HAProxy manage its own Let's Encrypt cert brings us right back to where we were before. I think maybe we should look at a different solution. What about:
This would allow Let's Encrypt to manage its own certs, and tell HAProxy to use them, without stomping all over any TLS configuration manually set by the user (in case they want to switch back and forth). I think this solution might also solve ChameleonCloud/chi-in-a-box#116. @msherman64 |
This, however, would cause HAProxy to load a bad cert if the container was restarted with |
Closing this after discussing with Mike in slack |
The original patch only updated the certs in memory, so restarting
HAProxy would load the old certs.