1 files changed, 21 insertions, 9 deletions

diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index be4380462..37fa36797 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -23,16 +23,19 @@ import vyos.defaults
 import vyos.certbot_util
 
 from vyos.config import Config
+from vyos.configverify import verify_vrf
 from vyos import ConfigError
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
+from vyos.util import write_file
 
 from vyos import airbag
 airbag.enable()
 
 config_file = '/etc/nginx/sites-available/default'
+systemd_override = r'/etc/systemd/system/nginx.service.d/override.conf'
 cert_dir = '/etc/ssl/certs'
 key_dir = '/etc/ssl/private'
 certbot_dir = vyos.defaults.directories['certbot']
@@ -58,10 +61,11 @@ def get_config(config=None):
     else:
         conf = Config()
 
-    if not conf.exists('service https'):
+    base = ['service', 'https']
+    if not conf.exists(base):
         return None
 
-    https = conf.get_config_dict('service https', get_first_key=True)
+    https = conf.get_config_dict(base, get_first_key=True)
 
     if https:
         https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
@@ -102,6 +106,8 @@ def verify(https):
             if not domains_found:
                 raise ConfigError("At least one 'virtual-host <id> server-name' "
                               "matching the 'certbot domain-name' is required.")
+
+    verify_vrf(https)
     return None
 
 def generate(https):
@@ -139,15 +145,17 @@ def generate(https):
         cert_path = os.path.join(cert_dir, f'{cert_name}.pem')
         key_path = os.path.join(key_dir, f'{cert_name}.pem')
 
-        with open(cert_path, 'w') as f:
-            f.write(wrap_certificate(pki_cert['certificate']))
+        server_cert = str(wrap_certificate(pki_cert['certificate']))
+        if 'ca-certificate' in cert_dict:
+            ca_cert = cert_dict['ca-certificate']
+            server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate']))
 
-        with open(key_path, 'w') as f:
-            f.write(wrap_private_key(pki_cert['private']['key']))
+        write_file(cert_path, server_cert)
+        write_file(key_path, wrap_private_key(pki_cert['private']['key']))
 
         vyos_cert_data = {
-            "crt": cert_path,
-            "key": key_path
+            'crt': cert_path,
+            'key': key_path
         }
 
         for block in server_block_list:
@@ -184,6 +192,8 @@ def generate(https):
         vhosts = https.get('api-restrict', {}).get('virtual-host', [])
         if vhosts:
             api_data['vhost'] = vhosts[:]
+        if 'socket' in list(api_settings):
+            api_data['socket'] = True
 
     if api_data:
         vhost_list = api_data.get('vhost', [])
@@ -205,10 +215,12 @@ def generate(https):
     }
 
     render(config_file, 'https/nginx.default.tmpl', data)
-
+    render(systemd_override, 'https/override.conf.tmpl', https)
     return None
 
 def apply(https):
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
     if https is not None:
         call('systemctl restart nginx.service')
     else: