@ -44,6 +44,11 @@
#
# Require the socat binary. DEPLOY_HAPROXY_STATS_SOCKET variable uses the socat
# address format.
#
# export DEPLOY_HAPROXY_MASTER_CLI="UNIX:/run/haproxy-master.sock"
#
# OPTIONAL: To use the master CLI with DEPLOY_HAPROXY_HOT_UPDATE="yes" instead
# of a stats socket, use this variable.
######## Public functions #####################
@ -54,6 +59,7 @@ haproxy_deploy() {
_ccert = " $3 "
_cca = " $4 "
_cfullchain = " $5 "
_cmdpfx = ""
# Some defaults
DEPLOY_HAPROXY_PEM_PATH_DEFAULT = "/etc/haproxy"
@ -148,6 +154,16 @@ haproxy_deploy() {
Le_Deploy_haproxy_stats_socket = " ${ DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT } "
fi
# MASTER_CLI is optional. No defaults are used. When the master CLI is used,
# all commands are sent with a prefix.
_getdeployconf DEPLOY_HAPROXY_MASTER_CLI
_debug2 DEPLOY_HAPROXY_MASTER_CLI " ${ DEPLOY_HAPROXY_MASTER_CLI } "
if [ -n " ${ DEPLOY_HAPROXY_MASTER_CLI } " ] ; then
Le_Deploy_haproxy_stats_socket = " ${ DEPLOY_HAPROXY_MASTER_CLI } "
_savedomainconf Le_Deploy_haproxy_stats_socket " ${ Le_Deploy_haproxy_stats_socket } "
_cmdpfx = "@1 " # command prefix used for master CLI only.
fi
# Set the suffix depending if we are creating a bundle or not
if [ " ${ Le_Deploy_haproxy_bundle } " = "yes" ] ; then
_info "Bundle creation requested"
@ -297,18 +313,25 @@ haproxy_deploy() {
fi
if [ " ${ Le_Deploy_haproxy_hot_update } " = "yes" ] ; then
# Update certificate over HAProxy stats socket.
# set the socket name for messages
if [ -n " ${ _cmdpfx } " ] ; then
_socketname = "master CLI"
else
_socketname = "stats socket"
fi
# Update certificate over HAProxy stats socket or master CLI.
if _exists socat; then
# look for the certificate on the stats socket, to chose between updating or creating one
_socat_cert_cmd = " echo 'show ssl cert' | socat ' ${ _statssock } ' - | grep -q '^ ${ _pem } $' "
_socat_cert_cmd = " echo ' ${ _cmdpfx } show ssl cert' | socat '${ _statssock } ' - | grep -q '^ ${ _pem } $' "
_debug _socat_cert_cmd " ${ _socat_cert_cmd } "
eval " ${ _socat_cert_cmd } "
_ret = $?
if [ " ${ _ret } " != "0" ] ; then
_newcert = "1"
_info " Creating new certificate ' ${ _pem } ' over HAProxy stats socket . "
_info " Creating new certificate ' ${ _pem } ' over HAProxy ${ _socketname } ."
# certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
_socat_crtlist_show_cmd = " echo 'show ssl crt-list' | socat ' ${ _statssock } ' - | grep -q '^ ${ Le_Deploy_haproxy_pem_path } $' "
_socat_crtlist_show_cmd = " echo ' ${ _cmdpfx } show ssl crt-list' | socat '${ _statssock } ' - | grep -q '^ ${ Le_Deploy_haproxy_pem_path } $' "
_debug _socat_crtlist_show_cmd " ${ _socat_crtlist_show_cmd } "
eval " ${ _socat_crtlist_show_cmd } "
_ret = $?
@ -317,7 +340,7 @@ haproxy_deploy() {
return " ${ _ret } "
fi
# create a new certificate
_socat_new_cmd = " echo 'new ssl cert ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q 'New empty' "
_socat_new_cmd = " echo ' ${ _cmdpfx } new ssl cert ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q 'New empty' "
_debug _socat_new_cmd " ${ _socat_new_cmd } "
eval " ${ _socat_new_cmd } "
_ret = $?
@ -326,9 +349,9 @@ haproxy_deploy() {
return " ${ _ret } "
fi
else
_info " Update existing certificate ' ${ _pem } ' over HAProxy stats socket . "
_info " Update existing certificate ' ${ _pem } ' over HAProxy ${ _socketname } ."
fi
_socat_cert_set_cmd = " echo -e 'set ssl cert ${ _pem } <<\n $( cat " ${ _pem } " ) \n' | socat ' ${ _statssock } ' - | grep -q 'Transaction created' "
_socat_cert_set_cmd = " echo -e ' ${ _cmdpfx } set ssl cert ${ _pem } <<\n $( cat " ${ _pem } " ) \n' | socat ' ${ _statssock } ' - | grep -q 'Transaction created' "
_debug _socat_cert_set_cmd " ${ _socat_cert_set_cmd } "
eval " ${ _socat_cert_set_cmd } "
_ret = $?
@ -336,7 +359,7 @@ haproxy_deploy() {
_err " Can't update ' ${ _pem } ' in haproxy "
return " ${ _ret } "
fi
_socat_cert_commit_cmd = " echo 'commit ssl cert ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q '^Success! $' "
_socat_cert_commit_cmd = " echo ' ${ _cmdpfx } commit ssl cert ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q '^Success! $' "
_debug _socat_cert_commit_cmd " ${ _socat_cert_commit_cmd } "
eval " ${ _socat_cert_commit_cmd } "
_ret = $?
@ -346,7 +369,7 @@ haproxy_deploy() {
fi
if [ " ${ _newcert } " = "1" ] ; then
# if this is a new certificate, it needs to be inserted into the crt-list`
_socat_cert_add_cmd = " echo 'add ssl crt-list ${ Le_Deploy_haproxy_pem_path } ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q 'Success!' "
_socat_cert_add_cmd = " echo ' ${ _cmdpfx } add ssl crt-list ${ Le_Deploy_haproxy_pem_path } ${ _pem } ' | socat ' ${ _statssock } ' - | grep -q 'Success!' "
_debug _socat_cert_add_cmd " ${ _socat_cert_add_cmd } "
eval " ${ _socat_cert_add_cmd } "
_ret = $?
@ -356,7 +379,7 @@ haproxy_deploy() {
fi
fi
else
_err "'socat' is not available, couldn't update over stats socket "
_err " 'socat' is not available, couldn't update over ${ _socketname } "
fi
else
# Reload HAProxy