1 files changed, 16 insertions, 7 deletions

diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index be4380462..cd5073aa2 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -23,16 +23,19 @@ import vyos.defaults
 import vyos.certbot_util
 
 from vyos.config import Config
+from vyos.configverify import verify_vrf
 from vyos import ConfigError
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
+from vyos.util import write_file
 
 from vyos import airbag
 airbag.enable()
 
 config_file = '/etc/nginx/sites-available/default'
+systemd_override = r'/etc/systemd/system/nginx.service.d/override.conf'
 cert_dir = '/etc/ssl/certs'
 key_dir = '/etc/ssl/private'
 certbot_dir = vyos.defaults.directories['certbot']
@@ -102,6 +105,8 @@ def verify(https):
             if not domains_found:
                 raise ConfigError("At least one 'virtual-host <id> server-name' "
                               "matching the 'certbot domain-name' is required.")
+
+    verify_vrf(https)
     return None
 
 def generate(https):
@@ -139,15 +144,17 @@ def generate(https):
         cert_path = os.path.join(cert_dir, f'{cert_name}.pem')
         key_path = os.path.join(key_dir, f'{cert_name}.pem')
 
-        with open(cert_path, 'w') as f:
-            f.write(wrap_certificate(pki_cert['certificate']))
+        server_cert = str(wrap_certificate(pki_cert['certificate']))
+        if 'ca-certificate' in cert_dict:
+            ca_cert = cert_dict['ca-certificate']
+            server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate']))
 
-        with open(key_path, 'w') as f:
-            f.write(wrap_private_key(pki_cert['private']['key']))
+        write_file(cert_path, server_cert)
+        write_file(key_path, wrap_private_key(pki_cert['private']['key']))
 
         vyos_cert_data = {
-            "crt": cert_path,
-            "key": key_path
+            'crt': cert_path,
+            'key': key_path
         }
 
         for block in server_block_list:
@@ -205,10 +212,12 @@ def generate(https):
     }
 
     render(config_file, 'https/nginx.default.tmpl', data)
-
+    render(systemd_override, 'https/override.conf.tmpl', https)
     return None
 
 def apply(https):
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
     if https is not None:
         call('systemctl restart nginx.service')
     else: