the postsave command is ran by certmonger when a certificate is
requested (which will happen on certificate renewal). The previous
command given didn't take into account the file that haproxy expects,
which is a bundled PEM file with both the certificate and the key. Thus,
certmonger would have never generated a new bundle that haproxy would
use, resulting in haproxy always having an old bundle after certificate
expiration.
This fixes that.
Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #
1712514
(cherry picked from commit
e1791a37d557b14bb8f833363cabe5c98e151548)
$dnsnames_real = $hostname
}
- $postsave_cmd_real = pick($postsave_cmd, 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi')
+ if $certmonger_ca == 'local' {
+ $ca_fragment = $ca_pem
+ } else {
+ $ca_fragment = ''
+ }
+
+ $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}"
+ if $postsave_cmd {
+ $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}"
+ } else {
+ $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi'
+ $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}"
+ }
+
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
Code Review / apex-puppet-tripleo.git / commitdiff