From abf533f4b06bae1cad5a106c8324df152bfc4691 Mon Sep 17 00:00:00 2001 From: Istvan Pusztai Date: Fri, 25 Aug 2017 20:38:47 -0400 Subject: [PATCH 1/7] Allow whitespaces in domain ACL regex In some cases there are extraneous spaces in the configuration file for visual aid (or simply accidental) preventing the domains from being picked up. Also adding `req.ssl_sni` as a valid criterion for non-http TLS traffic. --- certbot_haproxy/constants.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot_haproxy/constants.py b/certbot_haproxy/constants.py index e3d4505..44d7a18 100644 --- a/certbot_haproxy/constants.py +++ b/certbot_haproxy/constants.py @@ -57,8 +57,8 @@ from certbot_haproxy.util import MemoiseNoArgs RE_HAPROXY_DOMAIN_ACL = re.compile( - r'\s*acl (?P[0-9a-z_\-.]+) ' - r'hdr\(host\) -i ' + r'\s*acl\s+(?P[0-9a-z_\-.]+)\s+' + r'(?:hdr\(host\)|req\.ssl_sni)\s+-i\s+' r'(?P' # Start group "domain" r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]\.)+)' # (sub-)domain parts r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]))' # TLD part From 2b3de538a557d79a4f3a68b68590be3c0818cbe0 Mon Sep 17 00:00:00 2001 From: Anthony Robinson Date: Wed, 13 Sep 2017 08:24:58 -0400 Subject: [PATCH 2/7] Add Cent7 to constants --- certbot_haproxy/constants.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/certbot_haproxy/constants.py b/certbot_haproxy/constants.py index 44d7a18..4ee5437 100644 --- a/certbot_haproxy/constants.py +++ b/certbot_haproxy/constants.py @@ -10,6 +10,7 @@ - Ubuntu Vivid (15.04) - Ubuntu Wily (15.10) - Ubuntu Xenial (16.04) + - CentOS (7) You can define new lists below following the instructions hereafter, please consider making a pull-request when you do so, so others may benefit of your @@ -87,6 +88,17 @@ crt_directory='/opt/certbot/haproxy_fullchains', ) +CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS = dict( + service_manager='systemctl', + version_cmd=['/usr/sbin/haproxy', '-v'], + restart_cmd=['sudo', 'systemctl', 'restart', 'haproxy'], + # Needs the config file as an argument: + conftest_cmd=['/usr/sbin/haproxy', '-c', '-f'], + haproxy_config='/etc/haproxy/haproxy.cfg', + # Needs to be writeable by the user that will run certbot + crt_directory='/opt/certbot/haproxy_fullchains', +) + CLI_DEFAULTS = { "debian": { '_min_version': '7', @@ -109,6 +121,10 @@ '18.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS, '18.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS, '19.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS + }, + "centos": { + '_min_version': '7', + '7': CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS } } From d31c8e83f5b20a6a23bc8c371e14e12d025f9b3c Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 7 May 2018 10:32:27 +0000 Subject: [PATCH 3/7] Tweak fallback certificate to be kind --- certbot_haproxy/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot_haproxy/util.py b/certbot_haproxy/util.py index 2d388ed..78095fc 100644 --- a/certbot_haproxy/util.py +++ b/certbot_haproxy/util.py @@ -49,7 +49,7 @@ def create_self_signed_cert(bits=2048, **kwargs): cert = crypto.X509() attributes = { - 'countryName': u"FU", + 'countryName': u"UK", 'stateOrProvinceName': u"Oceania", 'localityName': u"London", 'organizationName': u"Ministry of Truth", From 185057292f85fe069805286fb1dfa756dfcc3ff0 Mon Sep 17 00:00:00 2001 From: Nicolas Quiniou-Briand Date: Tue, 11 Sep 2018 10:36:49 +0200 Subject: [PATCH 4/7] fix typo --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 5dd27ea..4788821 100644 --- a/README.rst +++ b/README.rst @@ -27,7 +27,7 @@ useful to you in the following cases: .. _Greenhost's: https://greenhost.net This plugin does not configure HAProxy for you, because HAProxy configurations -can can vary a great deal. Please read the installation instructions on how to +can vary a great deal. Please read the installation instructions on how to configure HAProxy for use with the plugin. If you have a good idea on how we can implement automatic HAProxy configuration, you are welcome to create a merge request or an issue. From 64fc9b286391b7fbe65362ca499fafb5b93cd580 Mon Sep 17 00:00:00 2001 From: Pierre Faucquenoy Date: Mon, 6 Apr 2020 17:33:03 +0200 Subject: [PATCH 5/7] fix [certbot]: move standalone import --- certbot_haproxy/authenticator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot_haproxy/authenticator.py b/certbot_haproxy/authenticator.py index 68e2288..e10dd0a 100644 --- a/certbot_haproxy/authenticator.py +++ b/certbot_haproxy/authenticator.py @@ -52,7 +52,7 @@ from acme import challenges from certbot import interfaces -from certbot.plugins import standalone +from certbot._internal.plugins import standalone logger = logging.getLogger(__name__) # pylint:disable=invalid-name From cfa0c0450eab74cc5ca7788a361f159ef4bd1876 Mon Sep 17 00:00:00 2001 From: Pierre Faucquenoy Date: Sat, 18 Dec 2021 17:38:04 +0100 Subject: [PATCH 6/7] feat(hook): add deploy hook --- certbot-deploy-hook | 49 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100755 certbot-deploy-hook diff --git a/certbot-deploy-hook b/certbot-deploy-hook new file mode 100755 index 0000000..a43c7d4 --- /dev/null +++ b/certbot-deploy-hook @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +import os +import re +import sys + +# Certbot sets an environment variable RENEWED_LINEAGE, which points to the +# path of the renewed certificate. We use that path to determine and find +# the files for the currently renewed certificated +lineage=os.environ.get('RENEWED_LINEAGE') + +# If nothing renewed, exit +if not lineage: + sys.exit() + +# From the linage, we strip the 'domain name', which is the last part +# of the path. +result = re.match(r'.*/live/(.+)$', lineage) + +# If we can not recognize the path, we exit with 1 +if not result: + sys.exit(1) + +# Extract the domain name +domain = result.group(1) + +# Define a path for HAproxy where you want to write the .pem file. +deploy_path="/opt/certbot/haproxy_fullchains/" + domain + ".pem" + +# The source files can be found in below paths, constructed with the lineage +# path +source_key = lineage + "/privkey.pem" +source_chain = lineage + "/fullchain.pem" + +# HAproxy requires to combine the key and chain in one .pem file +with open(deploy_path, "w") as deploy, \ + open(source_key, "r") as key, \ + open(source_chain, "r") as chain: + deploy.write(key.read()) + deploy.write(chain.read()) + +# Here you can add your service reload command. Which will be executed after +# every renewal, which is fine if you only have a few domains. + +os.system('/bin/systemctl restart haproxy') + +# Alternative is to add the reload to the --post-hook. In that case it is only +# run once after all renewals. That would be the use-case if you have a large +# number of different certificates served by HAproxy. From fefb8cfe363e0a02c4dac074c6659d01ecf9b9e0 Mon Sep 17 00:00:00 2001 From: Pierre Faucquenoy Date: Sat, 2 Jul 2022 12:45:30 +0200 Subject: [PATCH 7/7] feat(hook): use sudo to restart haproxy --- certbot-deploy-hook | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-deploy-hook b/certbot-deploy-hook index a43c7d4..0796707 100755 --- a/certbot-deploy-hook +++ b/certbot-deploy-hook @@ -42,7 +42,7 @@ with open(deploy_path, "w") as deploy, \ # Here you can add your service reload command. Which will be executed after # every renewal, which is fine if you only have a few domains. -os.system('/bin/systemctl restart haproxy') +os.system('sudo /bin/systemctl restart haproxy') # Alternative is to add the reload to the --post-hook. In that case it is only # run once after all renewals. That would be the use-case if you have a large