From dbc8fe1fe2ec675655624ec7ee3996b20ee6e7a4 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Thu, 30 Apr 2020 06:58:41 +0100 Subject: [PATCH] Use a certbot pre-hook to ensure haproxy backend is up before renewal We use the built in python3 http server to bring up a temporary backend on the node which wants to renew a certificate. The timeout set so that the haproxy health check has noticed the backend come up before certbot runs. There is otherwise a race condition between the haproxy healthcheck and the certbot challenge request arriving at the acme-challenge endpoint. Change-Id: I2f5f9457c43c68f2881bf9d44f43434ca7b43859 --- defaults/main.yml | 3 +++ tasks/haproxy_ssl_letsencrypt.yml | 7 +++++++ templates/letsencrypt_pre_hook_certbot_distro.j2 | 4 ++++ 3 files changed, 14 insertions(+) create mode 100644 templates/letsencrypt_pre_hook_certbot_distro.j2 diff --git a/defaults/main.yml b/defaults/main.yml index ad7001f..f470e66 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -82,6 +82,9 @@ haproxy_ssl_letsencrypt_enable: false haproxy_ssl_letsencrypt_install_method: "certbot-auto" haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}" haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}" +haproxy_ssl_letsencrypt_certbot_backend_port: 8888 +haproxy_ssl_letsencrypt_pre_hook_timeout: 5 +haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}" haproxy_ssl_letsencrypt_email: "example@example.com" haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto" haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv" diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml index c9bd583..c86670b 100644 --- a/tasks/haproxy_ssl_letsencrypt.yml +++ b/tasks/haproxy_ssl_letsencrypt.yml @@ -75,6 +75,13 @@ args: creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem" +- name: Create certbot pre hook + template: + src: letsencrypt_pre_hook_certbot_distro.j2 + dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre + mode: 0755 + when: haproxy_ssl_letsencrypt_install_method == 'distro' + - name: Create certbot post renewal hook template: src: letsencrypt_renew_certbot_distro.j2 diff --git a/templates/letsencrypt_pre_hook_certbot_distro.j2 b/templates/letsencrypt_pre_hook_certbot_distro.j2 new file mode 100644 index 0000000..bdeb744 --- /dev/null +++ b/templates/letsencrypt_pre_hook_certbot_distro.j2 @@ -0,0 +1,4 @@ +#!/bin/bash +# swing load balancer over to this node by starting temporary http server for {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} seconds + +timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }}