certbot: verify generated combined certificate file for HAProxy
This commit is contained in:
parent
86108999c1
commit
3521d4a765
|
@ -22,12 +22,21 @@ haproxy_bin=$(command -v haproxy)
|
||||||
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
|
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
|
||||||
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
|
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
|
||||||
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
|
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
|
||||||
|
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||||
|
|
||||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
||||||
chmod 600 "${haproxy_cert_file}"
|
chmod 600 "${haproxy_cert_file}"
|
||||||
chown root: "${haproxy_cert_file}"
|
chown root: "${haproxy_cert_file}"
|
||||||
|
|
||||||
|
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||||
|
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||||
|
|
||||||
|
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
|
||||||
|
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
||||||
|
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||||
|
fi
|
||||||
|
|
||||||
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
|
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
|
||||||
debug "HAProxy detected... reloading"
|
debug "HAProxy detected... reloading"
|
||||||
systemctl reload apache2
|
systemctl reload apache2
|
||||||
|
|
Loading…
Reference in a new issue