Love OpenSource ;)

README.rst

@@ -27,7 +27,7 @@ useful to you in the following cases:
 .. _Greenhost's: https://greenhost.net
 
 This plugin does not configure HAProxy for you, because HAProxy configurations
-can can vary a great deal. Please read the installation instructions on how to
+can vary a great deal. Please read the installation instructions on how to
 configure HAProxy for use with the plugin. If you have a good idea on how we can
 implement automatic HAProxy configuration, you are welcome to create a merge
 request or an issue.

certbot-deploy-hook

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+import os
+import re
+import sys
+
+# Certbot sets an environment variable RENEWED_LINEAGE, which points to the
+# path of the renewed certificate. We use that path to determine and find
+# the files for the currently renewed certificated
+lineage=os.environ.get('RENEWED_LINEAGE')
+
+# If nothing renewed, exit
+if not lineage:
+    sys.exit()
+
+# From the linage, we strip the 'domain name', which is the last part
+# of the path.
+result = re.match(r'.*/live/(.+)$', lineage)
+
+# If we can not recognize the path, we exit with 1
+if not result:
+    sys.exit(1)
+
+# Extract the domain name
+domain = result.group(1)
+
+# Define a path for HAproxy where you want to write the .pem file.
+deploy_path="/opt/certbot/haproxy_fullchains/" + domain + ".pem"
+
+# The source files can be found in below paths, constructed with the lineage
+# path
+source_key = lineage + "/privkey.pem"
+source_chain = lineage + "/fullchain.pem"
+
+# HAproxy requires to combine the key and chain in one .pem file
+with open(deploy_path, "w") as deploy, \
+        open(source_key, "r") as key, \
+        open(source_chain, "r") as chain:
+    deploy.write(key.read())
+    deploy.write(chain.read())
+
+# Here you can add your service reload command. Which will be executed after
+# every renewal, which is fine if you only have a few domains.
+
+os.system('sudo /bin/systemctl restart haproxy')
+
+# Alternative is to add the reload to the --post-hook. In that case it is only
+# run once after all renewals. That would be the use-case if you have a large
+# number of different certificates served by HAproxy.

certbot_haproxy/authenticator.py

@@ -52,7 +52,7 @@
 from acme import challenges
 
 from certbot import interfaces
-from certbot.plugins import standalone
+from certbot._internal.plugins import standalone
 
 logger = logging.getLogger(__name__)  # pylint:disable=invalid-name
 

certbot_haproxy/constants.py

@@ -10,6 +10,7 @@
   - Ubuntu Vivid (15.04)
   - Ubuntu Wily (15.10)
   - Ubuntu Xenial (16.04)
+  - CentOS (7)
 
 You can define new lists below following the instructions hereafter, please
 consider making a pull-request when you do so, so others may benefit of your
@@ -57,8 +58,8 @@
 from certbot_haproxy.util import MemoiseNoArgs
 
 RE_HAPROXY_DOMAIN_ACL = re.compile(
-    r'\s*acl (?P<name>[0-9a-z_\-.]+) '
-    r'hdr\(host\) -i '
+    r'\s*acl\s+(?P<name>[0-9a-z_\-.]+)\s+'
+    r'(?:hdr\(host\)|req\.ssl_sni)\s+-i\s+'
     r'(?P<domain>'  # Start group "domain"
     r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]\.)+)'  # (sub-)domain parts
     r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]))'  # TLD part
@@ -87,6 +88,17 @@
     crt_directory='/opt/certbot/haproxy_fullchains',
 )
 
+CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS = dict(
+    service_manager='systemctl',
+    version_cmd=['/usr/sbin/haproxy', '-v'],
+    restart_cmd=['sudo', 'systemctl', 'restart', 'haproxy'],
+    # Needs the config file as an argument:
+    conftest_cmd=['/usr/sbin/haproxy', '-c', '-f'],
+    haproxy_config='/etc/haproxy/haproxy.cfg',
+    # Needs to be writeable by the user that will run certbot
+    crt_directory='/opt/certbot/haproxy_fullchains',
+)
+
 CLI_DEFAULTS = {
     "debian": {
         '_min_version': '7',
@@ -109,6 +121,10 @@
         '18.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
         '18.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
         '19.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS
+    },
+    "centos": {
+        '_min_version': '7',
+        '7': CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS
     }
 }
 

certbot_haproxy/util.py

@@ -49,7 +49,7 @@ def create_self_signed_cert(bits=2048, **kwargs):
     cert = crypto.X509()
 
     attributes = {
-        'countryName': u"FU",
+        'countryName': u"UK",
         'stateOrProvinceName': u"Oceania",
         'localityName': u"London",
         'organizationName': u"Ministry of Truth",