53 lines
1.7 KiB
Django/Jinja
53 lines
1.7 KiB
Django/Jinja
#!/bin/bash
|
|
# Certbot post-renewal hook for HAProxy
|
|
# Managed by Ansible - DO NOT EDIT MANUALLY
|
|
#
|
|
# This script:
|
|
# 1. Combines fullchain.pem + privkey.pem into HAProxy format
|
|
# 2. Sets correct permissions
|
|
# 3. Reloads HAProxy via systemd
|
|
# 4. Updates certificate metrics for Prometheus
|
|
|
|
set -euo pipefail
|
|
|
|
# RENEWED_LINEAGE is set by certbot --deploy-hook or passed explicitly by deploy.yml
|
|
CERT_DIR="${RENEWED_LINEAGE:?RENEWED_LINEAGE must be set}"
|
|
CERT_NAME=$(basename "${CERT_DIR}")
|
|
HAPROXY_CERT="{{ haproxy_cert_path }}"
|
|
HAPROXY_DIR="{{ haproxy_directory }}"
|
|
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting renewal hook for ${CERT_NAME}"
|
|
|
|
# Check if certificate files exist
|
|
if [[ ! -f "${CERT_DIR}/fullchain.pem" ]] || [[ ! -f "${CERT_DIR}/privkey.pem" ]]; then
|
|
echo "ERROR: Certificate files not found in ${CERT_DIR}"
|
|
exit 1
|
|
fi
|
|
|
|
# Combine certificate and private key for HAProxy
|
|
# HAProxy requires both in a single PEM file
|
|
cat "${CERT_DIR}/fullchain.pem" "${CERT_DIR}/privkey.pem" > "${HAPROXY_CERT}.tmp"
|
|
|
|
# Atomic move to avoid HAProxy reading partial file
|
|
mv "${HAPROXY_CERT}.tmp" "${HAPROXY_CERT}"
|
|
|
|
# Set permissions
|
|
chown {{ certbot_user }}:{{ haproxy_group }} "${HAPROXY_CERT}"
|
|
chmod 640 "${HAPROXY_CERT}"
|
|
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Certificate combined and written to ${HAPROXY_CERT}"
|
|
|
|
# Reload HAProxy if running
|
|
if systemctl is-active --quiet haproxy; then
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Reloading HAProxy..."
|
|
systemctl reload haproxy
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy reloaded"
|
|
else
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy not running, skipping reload"
|
|
fi
|
|
|
|
# Update certificate metrics
|
|
{{ certbot_directory }}/hooks/cert-metrics.sh
|
|
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Renewal hook completed successfully"
|