52 lines
1.8 KiB
Bash
52 lines
1.8 KiB
Bash
#!/bin/sh
|
|
|
|
readonly VERBOSE=${VERBOSE:-"0"}
|
|
readonly QUIET=${QUIET:-"0"}
|
|
|
|
error() {
|
|
>&2 echo "${PROGNAME}: $1"
|
|
exit 1
|
|
}
|
|
debug() {
|
|
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
|
>&2 echo "${PROGNAME}: $1"
|
|
fi
|
|
}
|
|
|
|
if [ -z "${RENEWED_LINEAGE}" ]; then
|
|
error "This script must be called only by certbot!"
|
|
fi
|
|
|
|
haproxy_bin=$(command -v haproxy)
|
|
|
|
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
|
|
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
|
|
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
|
|
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
|
|
|
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
|
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
|
chmod 600 "${haproxy_cert_file}"
|
|
chown root: "${haproxy_cert_file}"
|
|
|
|
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
|
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
|
|
|
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
|
|
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
|
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
|
fi
|
|
|
|
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
|
|
debug "HAProxy detected... reloading"
|
|
systemctl reload apache2
|
|
else
|
|
error "HAProxy config is broken, you must fix it !"
|
|
fi
|
|
else
|
|
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
|
fi
|
|
else
|
|
debug "HAProxy is not running or missing. Skip."
|
|
fi
|