Allow certbot to update certs in HAProxy's config dir #33
Conversation
The original patch only updated the certs in memory, so restarting HAProxy would load the old certs.
There was a problem hiding this comment.
how does this interact with haproxy's startup behavior if a cert is present in say site-config or /etc/kolla/haproxy?
Will haproxy load the "static one", then a letsenrypt renewal will overwrite it?
Can we make haproxy load the one from the letsencrypt volume on startup, if present, and remove the race?
| @@ -53,4 +53,5 @@ letsencrypt_certbot_default_volumes: | |||
| - "letsencrypt_acme_webroot:/www/data" | |||
| - "kolla_logs:/var/log/kolla/" | |||
| - "haproxy_socket:/var/lib/kolla/haproxy" | |||
| - "/etc/kolla/haproxy:/etc/kolla/haproxy" | |||
There was a problem hiding this comment.
a couple issues:
- this path is hardcoded here, but templated in kolla
- contents of this dir will get overwritten by kolla-ansible runs if a cert is present in site-config
| @@ -7,7 +7,9 @@ for domain in {{ letsencrypt_domains | join(' ') }}; do | |||
| cert_path="/etc/haproxy/certs.d/haproxy.pem" | |||
| # Get the full text of the certificate, deleting any blank lines (OpenSSL doesn't like those) | |||
| full_cert=$(cat $le_base/$domain/fullchain.pem $le_base/$domain/privkey.pem | sed '/^[[:blank:]]*$/ d') | |||
| # Start a transaction to update the certificate | |||
| # Copy the cert to haproxy's config dir | |||
| echo $full_cert | tee $cert_path /etc/haproxy/haproxy.pem | |||
There was a problem hiding this comment.
same issue as above, this writes into a config dir, but will get overwritten when cc-ansible runs.
Having HAProxy manage its own Let's Encrypt cert brings us right back to where we were before. I think maybe we should look at a different solution. What about:
This would allow Let's Encrypt to manage its own certs, and tell HAProxy to use them, without stomping all over any TLS configuration manually set by the user (in case they want to switch back and forth). I think this solution might also solve ChameleonCloud/chi-in-a-box#116. @msherman64 |
This, however, would cause HAProxy to load a bad cert if the container was restarted with |
|
Closing this after discussing with Mike in slack |
The original patch only updated the certs in memory, so restarting
HAProxy would load the old certs.