diff options
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 9 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_load-balancing_haproxy.py | 6 | ||||
| -rwxr-xr-x | src/conf_mode/pki.py | 12 |
3 files changed, 17 insertions, 10 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 7a6b86c10..62934c612 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -50,6 +50,10 @@ defaults errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http +# Default ACME backend +backend buildin_acme_certbot + server localhost 127.0.0.1:{{ get_default_port('certbot_haproxy') }} + # Frontend {% if service is vyos_defined %} {% for front, front_config in service.items() %} @@ -65,11 +69,8 @@ frontend {{ front }}-http bind [::]:80 v4v6 {% endif %} acl acme_acl path_beg /.well-known/acme-challenge/ - use_backend {{ certbot_backend_name }} if acme_acl + use_backend buildin_acme_certbot if acme_acl redirect scheme https code 301 if !acme_acl - -backend {{ certbot_backend_name }} - server acme_{{ front }} 127.0.0.1:{{ get_default_port('certbot_haproxy') }} {% endif %} frontend {{ front }} diff --git a/smoketest/scripts/cli/test_load-balancing_haproxy.py b/smoketest/scripts/cli/test_load-balancing_haproxy.py index 6a410ffde..833e0a92b 100755 --- a/smoketest/scripts/cli/test_load-balancing_haproxy.py +++ b/smoketest/scripts/cli/test_load-balancing_haproxy.py @@ -603,13 +603,13 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.assertIn('mode http', config[frontend_name]) self.assertIn('bind [::]:80 v4v6', config[frontend_name]) self.assertIn('acl acme_acl path_beg /.well-known/acme-challenge/', config[frontend_name]) - self.assertIn(f'use_backend certbot_{haproxy_service_name}_backend if acme_acl', config[frontend_name]) + self.assertIn('use_backend buildin_acme_certbot if acme_acl', config[frontend_name]) self.assertIn('redirect scheme https code 301 if !acme_acl', config[frontend_name]) - backend_name = f'backend certbot_{haproxy_service_name}_backend' + backend_name = 'backend buildin_acme_certbot' self.assertIn(backend_name, config.keys()) port = get_default_port('certbot_haproxy') - self.assertIn(f'server acme_https_front 127.0.0.1:{port}', config[backend_name]) + self.assertIn(f'server localhost 127.0.0.1:{port}', config[backend_name]) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 7ee1705c0..869518dd9 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -133,13 +133,19 @@ def certbot_request(name: str, config: dict, dry_run: bool=True): f'--standalone --agree-tos --no-eff-email --expand --server {config["url"]} '\ f'--email {config["email"]} --key-type rsa --rsa-key-size {config["rsa_key_size"]} '\ f'{domains}' + + listen_address = None + if 'listen_address' in config: + listen_address = config['listen_address'] + # When ACME is used behind a reverse proxy, we always bind to localhost # whatever the CLI listen-address is configured for. if ('haproxy' in dict_search('used_by', config) and - is_systemd_service_running(systemd_services['haproxy'])): + is_systemd_service_running(systemd_services['haproxy']) and + not check_port_availability(listen_address, 80)): tmp += f' --http-01-address 127.0.0.1 --http-01-port {internal_ports["certbot_haproxy"]}' - elif 'listen_address' in config: - tmp += f' --http-01-address {config["listen_address"]}' + elif listen_address: + tmp += f' --http-01-address {listen_address}' # verify() does not need to actually request a cert but only test for plausability if dry_run: |