Commit Graph

29 Commits

Author SHA1 Message Date
William Lallemand
e09d45c844 haproxy; don't use '*' in the filename for wildcard domain
By default acme.sh uses the '*' character in the filename for wildcard.
That can be confusing within HAProxy since the * character in front of a
filename in the stat socket is used to specified an uncommitted
transaction.

This patch replace the '*' by a '_' in the filename.
This is only done when using the default filename, the name can still be
forced with an asterisk.
2023-12-01 15:35:31 +01:00
William Lallemand
36fc321096 haproxy: use the master CLI for hot update
DEPLOY_HAPROXY_MASTER_CLI allows to use the HAProxy master CLI instead
of a stats socket for DEPLOY_HAPROXY_HOT_UPDATE="yes"

The syntax of the master CLI is slightly different, a prefix with the
process number need to be added before any command.

This patch uses ${_cmdpfx} in front of every socat commands which is
filled when the master CLI is used.
2023-11-30 15:22:51 +01:00
William Lallemand
98a7a01dbb haproxy: deploy script can add a new certificate over the stats socket
DEPLOY_HAPROXY_HOT_UPDATE="yes" now allows to add a new certificate
within HAProxy instead of updating an existing one.

In order to work, the ${DEPLOY_HAPROXY_PEM_PATH} value must be used as a
parameter to the "crt" keyword in the haproxy configuration.

The patch uses the following commands over HAProxy stats socket:
- show ssl cert
- new ssl cert
- set ssl cert
- commit ssl cert
- add ssl crt-list
2023-11-30 14:00:44 +01:00
William Lallemand
0f7be90500 haproxy: deploy script can update existing certificate over stats socket
Since version 2.2, HAProxy is able to update dynamically certificates,
without a reload.

This patch uses socat to push the certificate into HAProxy in order to
achieve hot update. With this method, reloading is not required.
This should be used only to update an existing certificate in haproxy.

2 new variables are available:

- DEPLOY_HAPROXY_HOT_UPDATE="yes" update over the stats socket instead
  of reloading

- DEPLOY_HAPROXY_STATS_SOCKET="UNIX:/run/haproxy/admin.sock" set the path on
  the stats socket.
2023-11-30 14:00:44 +01:00
William Lallemand
7aaf4432d4 haproxy: sanitize the PEM in the deploy script
Sanitize the PEM of the haproxy deploy script by removing the '\n', this
way it could be injected directly over the CLI.
2023-11-30 14:00:41 +01:00
podguzovvasily
8ca5ca6594
Update haproxy.sh
resolved issue with HAProxy https://github.com/acmesh-official/acme.sh/issues/4788
according https://serversforhackers.com/c/letsencrypt-with-haproxy
2023-10-24 16:58:47 +03:00
Glenn Strauss
8419b42e83 use ${ACME_OPENSSL_BIN:-openssl} instead of openssl
(requested by @Neilpang in #3687)
2021-09-30 19:00:39 -04:00
Glenn Strauss
c43c711f72 use _getdeployconf instead of sourcing DOMAIN_CONF
(requested by @Neilpang in #3394)

github: closes #3394
2021-09-01 16:37:10 -04:00
Felix Bünemann
cf5952f508
fix haproxy deploy hook ocsp update
fixes ocsp reponse update failing with `Responder Error: unauthorized (6)`
by removing `-no_nonce` switch from `openssl oscp` command .
2020-05-02 22:14:21 +02:00
xpac1985
e184a1b9e6
haproxy deploy script now compatible with OpenSSL v1.1+
haproxy deploy script now compatible with OpenSSL v1.1+

The OpenSSL OCSP request for haproxy deployment breaks from OpenSSL v1.1.0 on.
The format of the `-header` option has been changed and does now contain a `=` instead of a whitespace.
Other projects have hit the same issue:
https://github.com/nghttp2/nghttp2/issues/742

This commit determines the OpenSSL/LibreSSL version and then adjusts the request accordingly.
Also removed the duplicate command line and added some more debug output.
2020-02-20 23:28:55 +01:00
neilpang
1a126b700f fix https://github.com/Neilpang/acme.sh/issues/2252 2019-05-08 22:13:33 +08:00
andrewheberle
454c90820d
Actually set reload default 2018-09-28 08:57:13 +08:00
andrewheberle
31d9ba7e02
Change default for reload 2018-09-28 08:45:18 +08:00
andrewheberle
8d348954a7
Whitepspace 2018-05-14 13:22:46 +08:00
andrewheberle
7d19d784df
Update cert suffix for bundles .ocsp generation 2018-05-14 13:16:56 +08:00
andrewheberle
733b4e0a34
Fix Le_Keylength case 2018-05-14 11:26:03 +08:00
andrewheberle
08d29a8342
Fix return from reload 2018-05-14 10:58:46 +08:00
andrewheberle
ba20af48d3
Support HAPROXY_DEPLOY_PEM_PATH
Adds compatibility to original haproxy deploy hook while still allowing custom PEM file name (via HAPROXY_DEPLOY_PEM_NAME)
2018-05-10 15:25:28 +08:00
andrewheberle
707e053949
whitespace fixes 2018-05-10 12:18:03 +08:00
andrewheberle
c47e67e52c
Fix variable name 2018-05-10 12:06:25 +08:00
andrewheberle
6567bb4c12
Update haproxy deploy hook
Add functionality to add OCSP stapling info (.ocsp file), issuer (.issuer file) and multi-cert bundles (suffix on pem file based on key type).

This also corrects the order of key, certificate and intermediate in the PEM file, which although HAProxy does not seem to care, was incorrect in the prior version.
2018-05-10 11:51:59 +08:00
Daniel Watrous
afe5cb588d
update for POSIX compliance 2018-05-04 10:25:54 -05:00
Daniel Watrous
e9e999542d
add reload 2018-05-04 10:14:31 -05:00
Daniel Watrous
5f593994c7
remove more whitespace (trying to get TravisCI working) 2018-05-03 12:25:11 -05:00
Daniel Watrous
ec73aeba16
remove whitespace 2018-05-03 12:17:26 -05:00
Daniel Watrous
7573e560b6
Add conditional check to ensure path is provided 2018-05-03 10:06:05 -05:00
Daniel Watrous
360dc140ea
implement basic haproxy deploy
HAProxy requires the certificate chain and key to be concatenated and placed somewhere (can be anywhere). This script expects a single environment variable with the path where the concatenated PEM file should be written
2018-05-03 01:28:56 -05:00
neilpang
f845b371ce fix format 2017-02-19 20:40:53 +08:00
neilpang
3a1bd3114b add hooks, not implemented yet. 2017-02-19 20:35:32 +08:00