haproxy.sh 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. #!/usr/bin/env sh
  2. # Script for acme.sh to deploy certificates to haproxy
  3. #
  4. # The following variables can be exported:
  5. #
  6. # export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem"
  7. #
  8. # Defines the name of the PEM file.
  9. # Defaults to "<domain>.pem"
  10. #
  11. # export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy"
  12. #
  13. # Defines location of PEM file for HAProxy.
  14. # Defaults to /etc/haproxy
  15. #
  16. # export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
  17. #
  18. # OPTIONAL: Reload command used post deploy
  19. # This defaults to be a no-op (ie "true").
  20. # It is strongly recommended to set this something that makes sense
  21. # for your distro.
  22. #
  23. # export DEPLOY_HAPROXY_ISSUER="no"
  24. #
  25. # OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer"
  26. # Note: Required for OCSP stapling to work
  27. #
  28. # export DEPLOY_HAPROXY_BUNDLE="no"
  29. #
  30. # OPTIONAL: Deploy this certificate as part of a multi-cert bundle
  31. # This adds a suffix to the certificate based on the certificate type
  32. # eg RSA certificates will have .rsa as a suffix to the file name
  33. # HAProxy will load all certificates and provide one or the other
  34. # depending on client capabilities
  35. # Note: This functionality requires HAProxy was compiled against
  36. # a version of OpenSSL that supports this.
  37. #
  38. ######## Public functions #####################
  39. #domain keyfile certfile cafile fullchain
  40. haproxy_deploy() {
  41. _cdomain="$1"
  42. _ckey="$2"
  43. _ccert="$3"
  44. _cca="$4"
  45. _cfullchain="$5"
  46. # Some defaults
  47. DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
  48. DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem"
  49. DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
  50. DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
  51. DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
  52. if [ -f "${DOMAIN_CONF}" ]; then
  53. # shellcheck disable=SC1090
  54. . "${DOMAIN_CONF}"
  55. fi
  56. _debug _cdomain "${_cdomain}"
  57. _debug _ckey "${_ckey}"
  58. _debug _ccert "${_ccert}"
  59. _debug _cca "${_cca}"
  60. _debug _cfullchain "${_cfullchain}"
  61. # PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  62. if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
  63. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
  64. _savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
  65. elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then
  66. Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
  67. fi
  68. # Ensure PEM_PATH exists
  69. if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then
  70. _debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists"
  71. else
  72. _err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist"
  73. return 1
  74. fi
  75. # PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  76. if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
  77. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
  78. _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
  79. elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
  80. Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
  81. fi
  82. # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  83. if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
  84. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
  85. _savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
  86. elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then
  87. Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
  88. fi
  89. # ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  90. if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
  91. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
  92. _savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
  93. elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then
  94. Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
  95. fi
  96. # RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  97. if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
  98. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
  99. _savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
  100. elif [ -z "${Le_Deploy_haproxy_reload}" ]; then
  101. Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  102. fi
  103. # Set the suffix depending if we are creating a bundle or not
  104. if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
  105. _info "Bundle creation requested"
  106. # Initialise $Le_Keylength if its not already set
  107. if [ -z "${Le_Keylength}" ]; then
  108. Le_Keylength=""
  109. fi
  110. if _isEccKey "${Le_Keylength}"; then
  111. _info "ECC key type detected"
  112. _suffix=".ecdsa"
  113. else
  114. _info "RSA key type detected"
  115. _suffix=".rsa"
  116. fi
  117. else
  118. _suffix=""
  119. fi
  120. _debug _suffix "${_suffix}"
  121. # Set variables for later
  122. _pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}"
  123. _issuer="${_pem}.issuer"
  124. _ocsp="${_pem}.ocsp"
  125. _reload="${Le_Deploy_haproxy_reload}"
  126. _info "Deploying PEM file"
  127. # Create a temporary PEM file
  128. _temppem="$(_mktemp)"
  129. _debug _temppem "${_temppem}"
  130. cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
  131. _ret="$?"
  132. # Check that we could create the temporary file
  133. if [ "${_ret}" != "0" ]; then
  134. _err "Error code ${_ret} returned during PEM file creation"
  135. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  136. return ${_ret}
  137. fi
  138. # Move PEM file into place
  139. _info "Moving new certificate into place"
  140. _debug _pem "${_pem}"
  141. cat "${_temppem}" >"${_pem}"
  142. _ret=$?
  143. # Clean up temp file
  144. [ -f "${_temppem}" ] && rm -f "${_temppem}"
  145. # Deal with any failure of moving PEM file into place
  146. if [ "${_ret}" != "0" ]; then
  147. _err "Error code ${_ret} returned while moving new certificate into place"
  148. return ${_ret}
  149. fi
  150. # Update .issuer file if requested
  151. if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then
  152. _info "Updating .issuer file"
  153. _debug _issuer "${_issuer}"
  154. cat "${_cca}" >"${_issuer}"
  155. _ret="$?"
  156. if [ "${_ret}" != "0" ]; then
  157. _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
  158. return ${_ret}
  159. fi
  160. else
  161. [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
  162. fi
  163. # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
  164. if [ -z "${Le_OCSP_Staple}" ]; then
  165. Le_OCSP_Staple="0"
  166. fi
  167. if [ "${Le_OCSP_Staple}" = "1" ]; then
  168. _info "Updating OCSP stapling info"
  169. _debug _ocsp "${_ocsp}"
  170. _info "Extracting OCSP URL"
  171. _ocsp_url=$(openssl x509 -noout -ocsp_uri -in "${_pem}")
  172. _debug _ocsp_url "${_ocsp_url}"
  173. # Only process OCSP if URL was present
  174. if [ "${_ocsp_url}" != "" ]; then
  175. # Extract the hostname from the OCSP URL
  176. _info "Extracting OCSP URL"
  177. _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
  178. _debug _ocsp_host "${_ocsp_host}"
  179. # Only process the certificate if we have a .issuer file
  180. if [ -r "${_issuer}" ]; then
  181. # Check if issuer cert is also a root CA cert
  182. _subjectdn=$(openssl x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  183. _debug _subjectdn "${_subjectdn}"
  184. _issuerdn=$(openssl x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
  185. _debug _issuerdn "${_issuerdn}"
  186. _info "Requesting OCSP response"
  187. # Request the OCSP response from the issuer and store it
  188. if [ "${_subjectdn}" = "${_issuerdn}" ]; then
  189. # If the issuer is a CA cert then our command line has "-CAfile" added
  190. openssl ocsp \
  191. -issuer "${_issuer}" \
  192. -cert "${_pem}" \
  193. -url "${_ocsp_url}" \
  194. -header Host "${_ocsp_host}" \
  195. -respout "${_ocsp}" \
  196. -verify_other "${_issuer}" \
  197. -no_nonce \
  198. -CAfile "${_issuer}" \
  199. | grep -q "${_pem}: good"
  200. _ret=$?
  201. else
  202. # Issuer is not a root CA so no "-CAfile" option
  203. openssl ocsp \
  204. -issuer "${_issuer}" \
  205. -cert "${_pem}" \
  206. -url "${_ocsp_url}" \
  207. -header Host "${_ocsp_host}" \
  208. -respout "${_ocsp}" \
  209. -verify_other "${_issuer}" \
  210. -no_nonce \
  211. | grep -q "${_pem}: good"
  212. _ret=$?
  213. fi
  214. else
  215. # Non fatal: No issuer file was present so no OCSP stapling file created
  216. _err "OCSP stapling in use but no .issuer file was present"
  217. fi
  218. else
  219. # Non fatal: No OCSP url was found int the certificate
  220. _err "OCSP update requested but no OCSP URL was found in certificate"
  221. fi
  222. # Non fatal: Check return code of openssl command
  223. if [ "${_ret}" != "0" ]; then
  224. _err "Updating OCSP stapling failed with return code ${_ret}"
  225. fi
  226. else
  227. # An OCSP file was already present but certificate did not have OCSP extension
  228. if [ -f "${_ocsp}" ]; then
  229. _err "OCSP was not requested but .ocsp file exists."
  230. # Could remove the file at this step, although HAProxy just ignores it in this case
  231. # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
  232. fi
  233. fi
  234. # Reload HAProxy
  235. _debug _reload "${_reload}"
  236. eval "${_reload}"
  237. _ret=$?
  238. if [ "${_ret}" != "0" ]; then
  239. _err "Error code ${_ret} during reload"
  240. return ${_ret}
  241. else
  242. _info "Reload successful"
  243. fi
  244. return 0
  245. }