From eae8fb5186369e53da3d9003cb0161c518f1188a Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 23 Aug 2017 12:20:20 +0300 Subject: HAProxy: Make certmonger bundle the cert and key on renewal the postsave command is ran by certmonger when a certificate is requested (which will happen on certificate renewal). The previous command given didn't take into account the file that haproxy expects, which is a bundled PEM file with both the certificate and the key. Thus, certmonger would have never generated a new bundle that haproxy would use, resulting in haproxy always having an old bundle after certificate expiration. This fixes that. Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62 Closes-Bug: #1712514 (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548) --- manifests/certmonger/haproxy.pp | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 266054f..97efe59 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -74,7 +74,20 @@ define tripleo::certmonger::haproxy ( $dnsnames_real = $hostname } - $postsave_cmd_real = pick($postsave_cmd, 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi') + if $certmonger_ca == 'local' { + $ca_fragment = $ca_pem + } else { + $ca_fragment = '' + } + + $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}" + if $postsave_cmd { + $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}" + } else { + $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi' + $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}" + } + certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, -- cgit 1.2.3-korg