commit 0343893881dce50bf9786265e4b2ea77972114b6 Author: Dmitriy Rabotyagov Date: Fri Sep 11 18:17:42 2020 +0300 Define http-01 params with already provided variables There's no real need in asking user to manually provide http-01 port and address when we already have corresponding variables we rely on. Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354 diff --git a/defaults/main.yml b/defaults/main.yml index 3bd2b84..c6e46f3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -57,10 +57,10 @@ haproxy_service_configs: [] # white_list: # rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # backend_name: "mybackend" -# haproxy_frontend_acls: -# letsencrypt-acl: -# rule: "path_beg /.well-known/acme-challenge/" -# backend_name: letsencrypt +# haproxy_frontend_acls: +# letsencrypt-acl: +# rule: "path_beg /.well-known/acme-challenge/" +# backend_name: letsencrypt galera_monitoring_user: monitoring haproxy_bind_on_non_local: False @@ -86,6 +86,7 @@ haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_met haproxy_ssl_letsencrypt_certbot_backend_port: 8888 haproxy_ssl_letsencrypt_pre_hook_timeout: 5 haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}" +haproxy_ssl_letsencrypt_certbot_challenge: "http-01" haproxy_ssl_letsencrypt_email: "example@example.com" haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto" haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv" @@ -95,6 +96,10 @@ haproxy_ssl_letsencrypt_setup_extra_params: "" haproxy_ssl_letsencrypt_cron_minute: "0" haproxy_ssl_letsencrypt_cron_hour: "0" haproxy_ssl_letsencrypt_cron_weekday: "0" +haproxy_ssl_letsencrypt_acl: + letsencrypt-acl: + rule: "path_beg /.well-known/acme-challenge/" + backend_name: letsencrypt # hatop extra package URL and checksum haproxy_hatop_download_url: "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-0.7.7.tar.gz" diff --git a/doc/source/configure-haproxy.rst b/doc/source/configure-haproxy.rst index 7f22bdb..5247b33 100644 --- a/doc/source/configure-haproxy.rst +++ b/doc/source/configure-haproxy.rst @@ -164,7 +164,6 @@ The following variables must be set for the haproxy hosts. haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" - haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: example@example.com haproxy_interval: 2000 @@ -218,7 +217,8 @@ node plus each of the others, and direct any incoming acme-challenge requests to the HAProxy instance which is performing a renewal. It is necessary to configure certbot to bind to the HAproxy node local -internal IP address via the --http-01-address parameter in a H/A setup +internal IP address via the haproxy_ssl_letsencrypt_certbot_bind_address +variable in a H/A setup. Using Certificates from LetsEncrypt (legacy method) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/haproxy_letsencrypt-4a13c7911a20b993.yaml b/releasenotes/notes/haproxy_letsencrypt-4a13c7911a20b993.yaml new file mode 100644 index 0000000..55aba22 --- /dev/null +++ b/releasenotes/notes/haproxy_letsencrypt-4a13c7911a20b993.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + There's no need in providing neither `http-01-address` nor `http-01-port` + options with `haproxy_ssl_letsencrypt_setup_extra_params`, as they are now + configured with corresponding variables + `haproxy_ssl_letsencrypt_certbot_bind_address` and + `haproxy_ssl_letsencrypt_certbot_backend_port` +features: + - | + Added variable `haproxy_ssl_letsencrypt_certbot_challenge` which is default + to `http-01`. As for now really tested in only `http-01` but we keep door + open for adding support for more challanges, like `dns-01`. For `http-01` + all required arguments are passed, but oth other challanges you might want + to use `haproxy_ssl_letsencrypt_setup_extra_params` to pass missing + arguments. diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml index 70645b2..205042b 100644 --- a/tasks/haproxy_ssl_letsencrypt.yml +++ b/tasks/haproxy_ssl_letsencrypt.yml @@ -63,9 +63,11 @@ - name: Create first time ssl cert with certbot shell: > + {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %} timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true && + {% endif %} {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly --standalone --agree-tos @@ -74,6 +76,10 @@ --rsa-key-size 4096 --email {{ haproxy_ssl_letsencrypt_email }} --domains {{ external_lb_vip_address }} + {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %} + --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }} + --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }} + {% endif %} {{ haproxy_ssl_letsencrypt_setup_extra_params }} args: creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem" @@ -83,7 +89,9 @@ src: letsencrypt_pre_hook_certbot_distro.j2 dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre mode: 0755 - when: haproxy_ssl_letsencrypt_install_method == 'distro' + when: + - haproxy_ssl_letsencrypt_install_method == 'distro' + - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' - name: Create certbot post renewal hook template: