certbot: verify generated combined certificate file for HAProxy
This commit is contained in:
parent
86108999c1
commit
3521d4a765
|
@ -22,12 +22,21 @@ haproxy_bin=$(command -v haproxy)
|
|||
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
|
||||
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
|
||||
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
|
||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
||||
chmod 600 "${haproxy_cert_file}"
|
||||
chown root: "${haproxy_cert_file}"
|
||||
|
||||
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
|
||||
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
|
||||
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
||||
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||
fi
|
||||
|
||||
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
|
||||
debug "HAProxy detected... reloading"
|
||||
systemctl reload apache2
|
||||
|
|
Loading…
Reference in a new issue