From ce0d61bcbdcb87ca7876426f03e7ea61285e8883 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 14 Jun 2020 12:30:34 +0200
Subject: [PATCH] certbot: detect HAProxy cert directory

---
 CHANGELOG.md                   |  1 +
 certbot/files/hooks/haproxy.sh | 21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f4e3091..eb83f6aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* certbot: detect HAProxy cert directory
 * haproxy: enable stats frontend with access lists
 * lxc-php: Install php-sqlite by default
 * lxc-php: Don't disable putenv() by default in PHP settings
diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh
index 8bb66e2c..4998d55f 100644
--- a/certbot/files/hooks/haproxy.sh
+++ b/certbot/files/hooks/haproxy.sh
@@ -16,7 +16,7 @@ found_renewed_lineage() {
     test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
 }
 config_check() {
-    ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1
+    ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
 }
 concat_files() {
     # shellcheck disable=SC2174
@@ -34,6 +34,22 @@ cert_and_key_mismatch() {
 
     test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
 }
+detect_haproxy_cert_dir() {
+    # get last field or line wich defines the crt directory
+    config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/.+\b' "${haproxy_config_file}" | head -1 | awk '{ print $(NF)}')
+    if [ -n "${config_cert_dir}" ]; then
+        debug "Cert directory is configured with ${config_cert_dir}"
+        echo "${config_cert_dir}"
+    elif [ -d "/etc/haproxy/ssl" ]; then
+        debug "No configured cert directory found, but /etc/haproxy/ssl exists"
+        echo "/etc/haproxy/ssl"
+    elif [ -d "/etc/ssl/haproxy" ]; then
+        debug "No configured cert directory found, but /etc/ssl/haproxy exists"
+        echo "/etc/ssl/haproxy"
+    else
+        error "Cert directory not found."
+    fi
+}
 main() {
     if [ -z "${RENEWED_LINEAGE}" ]; then
       error "This script must be called only by certbot!"
@@ -70,6 +86,7 @@ readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}
 
 readonly haproxy_bin=$(command -v haproxy)
-readonly haproxy_cert_dir="/etc/ssl/haproxy"
+readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
+readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
 
 main