diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-04 22:08:13 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-05 17:22:57 +0200 |
| commit | 59d86826a2ffb2df6a0ce603c879e541a4fe88ba (patch) | |
| tree | 75ce7c42e76aaf4e4ec0551311f6a554977d9c51 /src | |
| parent | c05edd62cf1120fb14b66ca0377061a59a9d00db (diff) | |
| download | vyos-1x-59d86826a2ffb2df6a0ce603c879e541a4fe88ba.tar.gz vyos-1x-59d86826a2ffb2df6a0ce603c879e541a4fe88ba.zip | |
haproxy: T7122: add ACME/certbot bootstrap support
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
Diffstat (limited to 'src')
| -rw-r--r-- | src/conf_mode/load-balancing_haproxy.py | 10 | ||||
| -rwxr-xr-x | src/conf_mode/pki.py | 5 |
2 files changed, 9 insertions, 6 deletions
diff --git a/src/conf_mode/load-balancing_haproxy.py b/src/conf_mode/load-balancing_haproxy.py index 0e959480c..504a90596 100644 --- a/src/conf_mode/load-balancing_haproxy.py +++ b/src/conf_mode/load-balancing_haproxy.py @@ -19,6 +19,7 @@ import os from sys import exit from shutil import rmtree +from vyos.defaults import systemd_services from vyos.config import Config from vyos.configverify import verify_pki_certificate from vyos.configverify import verify_pki_ca_certificate @@ -39,7 +40,6 @@ airbag.enable() load_balancing_dir = '/run/haproxy' load_balancing_conf_file = f'{load_balancing_dir}/haproxy.cfg' -systemd_service = 'haproxy.service' systemd_override = '/run/systemd/system/haproxy.service.d/10-override.conf' def get_config(config=None): @@ -191,11 +191,11 @@ def generate(lb): return None def apply(lb): + action = 'stop' + if lb: + action = 'reload-or-restart' call('systemctl daemon-reload') - if not lb: - call(f'systemctl stop {systemd_service}') - else: - call(f'systemctl reload-or-restart {systemd_service}') + call(f'systemctl {action} {systemd_services["haproxy"]}') return None diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index f53e5db8b..7ee1705c0 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -29,6 +29,7 @@ from vyos.configdiff import Diff from vyos.configdiff import get_config_diff from vyos.defaults import directories from vyos.defaults import internal_ports +from vyos.defaults import systemd_services from vyos.pki import encode_certificate from vyos.pki import is_ca_certificate from vyos.pki import load_certificate @@ -48,6 +49,7 @@ from vyos.utils.network import check_port_availability from vyos.utils.process import call from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_active +from vyos.utils.process import is_systemd_service_running from vyos import ConfigError from vyos import airbag airbag.enable() @@ -133,7 +135,8 @@ def certbot_request(name: str, config: dict, dry_run: bool=True): f'{domains}' # When ACME is used behind a reverse proxy, we always bind to localhost # whatever the CLI listen-address is configured for. - if 'used_by' in config and 'haproxy' in config['used_by']: + if ('haproxy' in dict_search('used_by', config) and + is_systemd_service_running(systemd_services['haproxy'])): tmp += f' --http-01-address 127.0.0.1 --http-01-port {internal_ports["certbot_haproxy"]}' elif 'listen_address' in config: tmp += f' --http-01-address {config["listen_address"]}' |