4 files changed, 40 insertions, 8 deletions

diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 7338fe573..2a0acd84a 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -55,6 +55,29 @@ def get_config(config=None):
     return lb
 
 
+def _verify_cert(lb: dict, config: dict) -> None:
+    if 'ca_certificate' in config['ssl']:
+        ca_name = config['ssl']['ca_certificate']
+        pki_ca = lb['pki'].get('ca')
+        if pki_ca is None:
+            raise ConfigError(f'CA certificates does not exist in PKI')
+        else:
+            ca = pki_ca.get(ca_name)
+            if ca is None:
+                raise ConfigError(f'CA certificate "{ca_name}" does not exist')
+
+    elif 'certificate' in config['ssl']:
+        cert_names = config['ssl']['certificate']
+        pki_certs = lb['pki'].get('certificate')
+        if pki_certs is None:
+            raise ConfigError(f'Certificates does not exist in PKI')
+
+        for cert_name in cert_names:
+            pki_cert = pki_certs.get(cert_name)
+            if pki_cert is None:
+                raise ConfigError(f'Certificate "{cert_name}" does not exist')
+
+
 def verify(lb):
     if not lb:
         return None
@@ -83,6 +106,15 @@ def verify(lb):
             if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
                 raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
 
+    for front, front_config in lb['service'].items():
+        if 'ssl' in front_config:
+            _verify_cert(lb, front_config)
+
+    for back, back_config in lb['backend'].items():
+        if 'ssl' in back_config:
+            _verify_cert(lb, back_config)
+
+
 def generate(lb):
     if not lb:
         # Delete /run/haproxy/haproxy.cfg
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index f1c59cbde..512fa26e9 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -450,15 +450,15 @@ def verify(bgp):
                             verify_route_map(afi_config['route_map'][tmp], bgp)
 
                 if 'route_reflector_client' in afi_config:
-                    if 'remote_as' in peer_config and peer_config['remote_as'] != 'internal' and peer_config['remote_as'] != bgp['system_as']:
+                    peer_group_as = peer_config.get('remote_as')
+
+                    if peer_group_as is None or (peer_group_as != 'internal' and peer_group_as != bgp['system_as']):
                         raise ConfigError('route-reflector-client only supported for iBGP peers')
                     else:
                         if 'peer_group' in peer_config:
                             peer_group_as = dict_search(f'peer_group.{peer_group}.remote_as', bgp)
-                            if peer_group_as != None and peer_group_as != 'internal' and peer_group_as != bgp['system_as']:
+                            if peer_group_as is None or (peer_group_as != 'internal' and peer_group_as != bgp['system_as']):
                                 raise ConfigError('route-reflector-client only supported for iBGP peers')
-                        else:
-                            raise ConfigError('route-reflector-client only supported for iBGP peers')
 
     # Throw an error if a peer group is not configured for allow range
     for prefix in dict_search('listen.range', bgp) or []:
diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py
index ba3d69b07..bf4454fda 100755
--- a/src/conf_mode/service_dhcp-server.py
+++ b/src/conf_mode/service_dhcp-server.py
@@ -316,7 +316,7 @@ def verify(dhcp):
                 raise ConfigError(f'Invalid CA certificate specified for DHCP high-availability')
 
     for address in (dict_search('listen_address', dhcp) or []):
-        if is_addr_assigned(address):
+        if is_addr_assigned(address, include_vrf=True):
             listen_ok = True
             # no need to probe further networks, we have one that is valid
             continue
diff --git a/src/conf_mode/system_host-name.py b/src/conf_mode/system_host-name.py
index 6204cf247..8975cadb6 100755
--- a/src/conf_mode/system_host-name.py
+++ b/src/conf_mode/system_host-name.py
@@ -71,9 +71,9 @@ def get_config(config=None):
                 hosts['nameserver'].append(ns)
             else:
                 tmp = ''
-                if_type = Section.section(ns)
-                if conf.exists(['interfaces', if_type, ns, 'address']):
-                    tmp = conf.return_values(['interfaces', if_type, ns, 'address'])
+                config_path = Section.get_config_path(ns)
+                if conf.exists(['interfaces', config_path, 'address']):
+                    tmp = conf.return_values(['interfaces', config_path, 'address'])
 
                 hosts['nameservers_dhcp_interfaces'].update({ ns : tmp })