haproxy.sh 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
  1. #!/usr/bin/env sh
  2. # Script for acme.sh to deploy certificates to haproxy
  3. #
  4. # The following variables can be exported:
  5. #
  6. # export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem"
  7. #
  8. # Defines the name of the PEM file.
  9. # Defaults to "<domain>.pem"
  10. #
  11. # export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy"
  12. #
  13. # Defines location of PEM file for HAProxy.
  14. # Defaults to /etc/haproxy
  15. #
  16. # export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
  17. #
  18. # OPTIONAL: Reload command used post deploy
  19. # This defaults to be a no-op (ie "true").
  20. # It is strongly recommended to set this something that makes sense
  21. # for your distro.
  22. #
  23. # export DEPLOY_HAPROXY_ISSUER="no"
  24. #
  25. # OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer"
  26. # Note: Required for OCSP stapling to work
  27. #
  28. # export DEPLOY_HAPROXY_BUNDLE="no"
  29. #
  30. # OPTIONAL: Deploy this certificate as part of a multi-cert bundle
  31. # This adds a suffix to the certificate based on the certificate type
  32. # eg RSA certificates will have .rsa as a suffix to the file name
  33. # HAProxy will load all certificates and provide one or the other
  34. # depending on client capabilities
  35. # Note: This functionality requires HAProxy was compiled against
  36. # a version of OpenSSL that supports this.
  37. #
  38. ######## Public functions #####################
  39. #domain keyfile certfile cafile fullchain
  40. haproxy_deploy() {
  41. _cdomain="$1"
  42. _ckey="$2"
  43. _ccert="$3"
  44. _cca="$4"
  45. _cfullchain="$5"
  46. # Some defaults
  47. DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
  48. DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem"
  49. DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
  50. DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
  51. DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
  52. _debug _cdomain "${_cdomain}"
  53. _debug _ckey "${_ckey}"
  54. _debug _ccert "${_ccert}"
  55. _debug _cca "${_cca}"
  56. _debug _cfullchain "${_cfullchain}"
  57. # PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  58. _getdeployconf DEPLOY_HAPROXY_PEM_PATH
  59. _debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}"
  60. if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
  61. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
  62. _savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
  63. elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then
  64. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  65. fi
  66. # Ensure PEM_PATH exists
  67. if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then
  68. _debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists"
  69. else
  70. _err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist"
  71. return 1
  72. fi
  73. # PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  74. _getdeployconf DEPLOY_HAPROXY_PEM_NAME
  75. _debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}"
  76. if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
  77. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
  78. _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
  79. elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
  80. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  81. fi
  82. # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  83. _getdeployconf DEPLOY_HAPROXY_BUNDLE
  84. _debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}"
  85. if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
  86. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
  87. _savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
  88. elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then
  89. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  90. fi
  91. # ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  92. _getdeployconf DEPLOY_HAPROXY_ISSUER
  93. _debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}"
  94. if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
  95. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
  96. _savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
  97. elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then
  98. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  99. fi
  100. # RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  101. _getdeployconf DEPLOY_HAPROXY_RELOAD
  102. _debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}"
  103. if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
  104. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
  105. _savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
  106. elif [ -z "${Le_Deploy_haproxy_reload}" ]; then
  107. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  108. fi
  109. # Set the suffix depending if we are creating a bundle or not
  110. if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
  111. _info "Bundle creation requested"
  112. # Initialise $Le_Keylength if its not already set
  113. if [ -z "${Le_Keylength}" ]; then
  114. Le_Keylength=""
  115. fi
  116. if _isEccKey "${Le_Keylength}"; then
  117. _info "ECC key type detected"
  118. _suffix=".ecdsa"
  119. else
  120. _info "RSA key type detected"
  121. _suffix=".rsa"
  122. fi
  123. else
  124. _suffix=""
  125. fi
  126. _debug _suffix "${_suffix}"
  127. # Set variables for later
  128. _pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}"
  129. _issuer="${_pem}.issuer"
  130. _ocsp="${_pem}.ocsp"
  131. _reload="${Le_Deploy_haproxy_reload}"
  132. _info "Deploying PEM file"
  133. # Create a temporary PEM file
  134. _temppem="$(_mktemp)"
  135. _debug _temppem "${_temppem}"
  136. cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
  137. _ret="$?"
  138. # Check that we could create the temporary file
  139. if [ "${_ret}" != "0" ]; then
  140. _err "Error code ${_ret} returned during PEM file creation"
  141. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  142. return ${_ret}
  143. fi
  144. # Move PEM file into place
  145. _info "Moving new certificate into place"
  146. _debug _pem "${_pem}"
  147. cat "${_temppem}" >"${_pem}"
  148. _ret=$?
  149. # Clean up temp file
  150. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  151. # Deal with any failure of moving PEM file into place
  152. if [ "${_ret}" != "0" ]; then
  153. _err "Error code ${_ret} returned while moving new certificate into place"
  154. return ${_ret}
  155. fi
  156. # Update .issuer file if requested
  157. if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then
  158. _info "Updating .issuer file"
  159. _debug _issuer "${_issuer}"
  160. cat "${_cca}" >"${_issuer}"
  161. _ret="$?"
  162. if [ "${_ret}" != "0" ]; then
  163. _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
  164. return ${_ret}
  165. fi
  166. else
  167. [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
  168. fi
  169. # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
  170. if [ -z "${Le_OCSP_Staple}" ]; then
  171. Le_OCSP_Staple="0"
  172. fi
  173. if [ "${Le_OCSP_Staple}" = "1" ]; then
  174. _info "Updating OCSP stapling info"
  175. _debug _ocsp "${_ocsp}"
  176. _info "Extracting OCSP URL"
  177. _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
  178. _debug _ocsp_url "${_ocsp_url}"
  179. # Only process OCSP if URL was present
  180. if [ "${_ocsp_url}" != "" ]; then
  181. # Extract the hostname from the OCSP URL
  182. _info "Extracting OCSP URL"
  183. _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
  184. _debug _ocsp_host "${_ocsp_host}"
  185. # Only process the certificate if we have a .issuer file
  186. if [ -r "${_issuer}" ]; then
  187. # Check if issuer cert is also a root CA cert
  188. _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  189. _debug _subjectdn "${_subjectdn}"
  190. _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  191. _debug _issuerdn "${_issuerdn}"
  192. _info "Requesting OCSP response"
  193. # If the issuer is a CA cert then our command line has "-CAfile" added
  194. if [ "${_subjectdn}" = "${_issuerdn}" ]; then
  195. _cafile_argument="-CAfile \"${_issuer}\""
  196. else
  197. _cafile_argument=""
  198. fi
  199. _debug _cafile_argument "${_cafile_argument}"
  200. # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
  201. _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
  202. _debug _openssl_version "${_openssl_version}"
  203. _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
  204. _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
  205. if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
  206. _header_sep="="
  207. else
  208. _header_sep=" "
  209. fi
  210. # Request the OCSP response from the issuer and store it
  211. _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
  212. -issuer \"${_issuer}\" \
  213. -cert \"${_pem}\" \
  214. -url \"${_ocsp_url}\" \
  215. -header Host${_header_sep}\"${_ocsp_host}\" \
  216. -respout \"${_ocsp}\" \
  217. -verify_other \"${_issuer}\" \
  218. ${_cafile_argument} \
  219. | grep -q \"${_pem}: good\""
  220. _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
  221. eval "${_openssl_ocsp_cmd}"
  222. _ret=$?
  223. else
  224. # Non fatal: No issuer file was present so no OCSP stapling file created
  225. _err "OCSP stapling in use but no .issuer file was present"
  226. fi
  227. else
  228. # Non fatal: No OCSP url was found int the certificate
  229. _err "OCSP update requested but no OCSP URL was found in certificate"
  230. fi
  231. # Non fatal: Check return code of openssl command
  232. if [ "${_ret}" != "0" ]; then
  233. _err "Updating OCSP stapling failed with return code ${_ret}"
  234. fi
  235. else
  236. # An OCSP file was already present but certificate did not have OCSP extension
  237. if [ -f "${_ocsp}" ]; then
  238. _err "OCSP was not requested but .ocsp file exists."
  239. # Could remove the file at this step, although HAProxy just ignores it in this case
  240. # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
  241. fi
  242. fi
  243. # Reload HAProxy
  244. _debug _reload "${_reload}"
  245. eval "${_reload}"
  246. _ret=$?
  247. if [ "${_ret}" != "0" ]; then
  248. _err "Error code ${_ret} during reload"
  249. return ${_ret}
  250. else
  251. _info "Reload successful"
  252. fi
  253. return 0
  254. }