a254facacf
This patch changes the logic for generating a self signed certificate to also run when letsencrypt is being used. This temporary self signed cert is generated before haproxy is restarted with its full configuration, and before certbot has been run to generate the initial LE cert. This is necessary because haproxy will not start correctly if it is configured to use an ssl certificate but none is present. This would be the case with the previous code before certbot has run for the first time. This patch also removes the task which stops haproxy before running certbot. It is no longer necessary to do this as haproxy is able to start correctly using the initial self-signed cert. Change-Id: I6591243737b3a1bb369393439e1c44929f2f945b
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Ensure the private ssl directory exists
|
|
file:
|
|
dest: "/etc/ssl/private"
|
|
state: "directory"
|
|
tags:
|
|
- haproxy-ssl
|
|
|
|
#NOTE (jrosser) the self signed certificate is also needed for bootstrapping
|
|
#letsencrypt, as haproxy will not start with ssl config but a missing certificate
|
|
- include_tasks: haproxy_ssl_self_signed.yml
|
|
when:
|
|
- haproxy_ssl | bool
|
|
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
|
|
|
- include_tasks: haproxy_ssl_user_provided.yml
|