pki: T7122: when ACME listen-address is used - check if port is available

When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.

3 files changed, 17 insertions, 10 deletions

diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 7a6b86c10..62934c612 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -50,6 +50,10 @@ defaults
     errorfile 503 /etc/haproxy/errors/503.http
     errorfile 504 /etc/haproxy/errors/504.http
 
+# Default ACME backend
+backend buildin_acme_certbot
+    server localhost 127.0.0.1:{{ get_default_port('certbot_haproxy') }}
+
 # Frontend
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
@@ -65,11 +69,8 @@ frontend {{ front }}-http
     bind [::]:80 v4v6
 {%             endif %}
     acl acme_acl path_beg /.well-known/acme-challenge/
-    use_backend {{ certbot_backend_name }} if acme_acl
+    use_backend buildin_acme_certbot if acme_acl
     redirect scheme https code 301 if !acme_acl
-
-backend {{ certbot_backend_name }}
-    server acme_{{ front }} 127.0.0.1:{{ get_default_port('certbot_haproxy') }}
 {%         endif %}
 
 frontend {{ front }}
diff --git a/smoketest/scripts/cli/test_load-balancing_haproxy.py b/smoketest/scripts/cli/test_load-balancing_haproxy.py
index 6a410ffde..833e0a92b 100755
--- a/smoketest/scripts/cli/test_load-balancing_haproxy.py
+++ b/smoketest/scripts/cli/test_load-balancing_haproxy.py
@@ -603,13 +603,13 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase):
         self.assertIn('mode http', config[frontend_name])
         self.assertIn('bind [::]:80 v4v6', config[frontend_name])
         self.assertIn('acl acme_acl path_beg /.well-known/acme-challenge/', config[frontend_name])
-        self.assertIn(f'use_backend certbot_{haproxy_service_name}_backend if acme_acl', config[frontend_name])
+        self.assertIn('use_backend buildin_acme_certbot if acme_acl', config[frontend_name])
         self.assertIn('redirect scheme https code 301 if !acme_acl', config[frontend_name])
 
-        backend_name = f'backend certbot_{haproxy_service_name}_backend'
+        backend_name = 'backend buildin_acme_certbot'
         self.assertIn(backend_name, config.keys())
         port = get_default_port('certbot_haproxy')
-        self.assertIn(f'server acme_https_front 127.0.0.1:{port}', config[backend_name])
+        self.assertIn(f'server localhost 127.0.0.1:{port}', config[backend_name])
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index 7ee1705c0..869518dd9 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -133,13 +133,19 @@ def certbot_request(name: str, config: dict, dry_run: bool=True):
           f'--standalone --agree-tos --no-eff-email --expand --server {config["url"]} '\
           f'--email {config["email"]} --key-type rsa --rsa-key-size {config["rsa_key_size"]} '\
           f'{domains}'
+
+    listen_address = None
+    if 'listen_address' in config:
+        listen_address = config['listen_address']
+
     # When ACME is used behind a reverse proxy, we always bind to localhost
     # whatever the CLI listen-address is configured for.
     if ('haproxy' in dict_search('used_by', config) and
-        is_systemd_service_running(systemd_services['haproxy'])):
+        is_systemd_service_running(systemd_services['haproxy']) and
+        not check_port_availability(listen_address, 80)):
         tmp += f' --http-01-address 127.0.0.1 --http-01-port {internal_ports["certbot_haproxy"]}'
-    elif 'listen_address' in config:
-        tmp += f' --http-01-address {config["listen_address"]}'
+    elif listen_address:
+        tmp += f' --http-01-address {listen_address}'
 
     # verify() does not need to actually request a cert but only test for plausability
     if dry_run: