certbot: verify generated combined certificate file for HAProxy

This commit is contained in:
Jérémy Lecour 2019-09-27 09:47:51 +02:00 committed by Jérémy Lecour
parent 86108999c1
commit 3521d4a765
1 changed files with 9 additions and 0 deletions

View File

@ -22,12 +22,21 @@ haproxy_bin=$(command -v haproxy)
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
debug "Concatenating certificate files to ${haproxy_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}"
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
mv "${haproxy_cert_file}" "${failed_cert_file}"
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
fi
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
debug "HAProxy detected... reloading"
systemctl reload apache2