evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity

certbot: check syntax in hooks just before reload

Browse source
This commit is contained in:
Jérémy Lecour 2019-09-27 09:31:22 +02:00 committed by Jérémy Lecour
parent 394e28b815
commit 86108999c1
5 changed files with 45 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
certbot/files/hooks/apache.sh
View file

@ -13,18 +13,19 @@ debug() {
fi fi
} }
if [ -n "$(pidof apache2)" ]; then apache2ctl_bin=$(command -v apache2ctl)
apache2ctl_bin=$(command -v apache2ctl)
if ${apache2ctl_bin} configtest > /dev/null; then if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then
if grep --dereference-recursive -E "^\s*SSLCertificate" /etc/apache2/sites-enabled | grep -q "letsencrypt"; then if grep -r -E "letsencrypt" /etc/apache2/; then
if ${apache2ctl_bin} configtest > /dev/null; then
debug "Apache detected... reloading" debug "Apache detected... reloading"
systemctl reload apache2 systemctl reload apache2
else else
debug "Apache doesn't use Let's Encrypt certificate. Skip." error "Apache config is broken, you must fix it !"
fi fi
else else
error "Apache config is broken, you must fix it !" debug "Apache doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Apache is not running. Skip." debug "Apache is not running or missing. Skip."
fi fi

15
certbot/files/hooks/dovecot.sh
View file

@ -13,18 +13,19 @@ debug() {
fi fi
} }
if [ -n "$(pidof dovecot)" ]; then doveconf_bin=$(command -v doveconf)
doveconf_bin=$(command -v doveconf)
if ${doveconf_bin} > /dev/null; then if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then
if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
if ${doveconf_bin} > /dev/null; then
debug "Dovecot detected... reloading" debug "Dovecot detected... reloading"
systemctl reload dovecot systemctl reload dovecot
else else
debug "Dovecot doesn't use Let's Encrypt certificate. Skip." error "Dovecot config is broken, you must fix it !"
fi fi
else else
error "Dovecot config is broken, you must fix it !" debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Dovecot is not running. Skip." debug "Dovecot is not running or missing. Skip."
fi fi

25
certbot/files/hooks/haproxy.sh
View file

@ -17,25 +17,26 @@ if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!" error "This script must be called only by certbot!"
fi fi
if [ -n "$(pidof haproxy)" ]; then haproxy_bin=$(command -v haproxy)
haproxy_bin=$(command -v haproxy)
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
debug "Concatenating certificate files to ${haproxy_cert_file}" if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
chmod 600 "${haproxy_cert_file}" haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
chown root: "${haproxy_cert_file}"
debug "Concatenating certificate files to ${haproxy_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}"
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
debug "HAProxy detected... reloading" debug "HAProxy detected... reloading"
systemctl reload apache2 systemctl reload apache2
else else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" error "HAProxy config is broken, you must fix it !"
fi fi
else else
error "HAProxy config is broken, you must fix it !" error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi fi
else else
debug "HAProxy is not running. Skip." debug "HAProxy is not running or missing. Skip."
fi fi

15
certbot/files/hooks/nginx.sh
View file

@ -13,18 +13,19 @@ debug() {
fi fi
} }
if [ -n "$(pidof nginx)" ]; then nginx_bin=$(command -v nginx)
nginx_bin=$(command -v nginx)
if ${nginx_bin} -t > /dev/null; then if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then
if grep --dereference-recursive -E "^\s*ssl_certificate" /etc/nginx/sites-enabled | grep -q "letsencrypt"; then if grep --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then
if ${nginx_bin} -t > /dev/null; then
debug "Nginx detected... reloading" debug "Nginx detected... reloading"
systemctl reload nginx systemctl reload nginx
else else
debug "Nginx doesn't use Let's Encrypt certificate. Skip." error "Nginx config is broken, you must fix it !"
fi fi
else else
error "Nginx config is broken, you must fix it !" debug "Nginx doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Nginx is not running. Skip." debug "Nginx is not running or missing. Skip."
fi fi

15
certbot/files/hooks/postfix.sh
View file

@ -13,18 +13,19 @@ debug() {
fi fi
} }
if [ -n "$(pidof master)" ]; then postconf_bin=$(command -v postconf)
postconf_bin=$(command -v postconf)
if ${postconf_bin} > /dev/null; then if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then
if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
if ${postconf_bin} > /dev/null; then
debug "Postfix detected... reloading" debug "Postfix detected... reloading"
systemctl reload postfix systemctl reload postfix
else else
debug "Postfix doesn't use Let's Encrypt certificate. Skip." error "Postfix config is broken, you must fix it !"
fi fi
else else
error "Postfix config is broken, you must fix it !" debug "Postfix doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Postfix is not running. Skip." debug "Postfix is not running or missing. Skip."
fi fi