1195355b43
With releasing PKI role we broke Let's Encrypt option because of changing directories where certs should be located and not reflecting these changes for let's encrypt. At the same time we should not generate self-signed cert when let's encrypt path is used. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742 Closes-Bug: #1938961 Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab
14 lines
506 B
Django/Jinja
14 lines
506 B
Django/Jinja
#!/bin/bash
|
|
# renew cert if required and copy to haproxy destination
|
|
|
|
{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
|
|
--standalone \
|
|
--pre-hook "systemctl stop haproxy" \
|
|
|
|
{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
|
|
cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
|
|
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}
|
|
{% endfor %}
|
|
|
|
systemctl reload haproxy
|