Commit Graph

31 Commits (b82f6801cd24f647510355f1818da2b1368c56a9)

Author SHA1 Message Date
William Lallemand 7e320d2748 haproxy: don't leak private keys when doing --debug
It was reported in issue #6267 that the private key was leaked when
using the DEPLOY_HAPROXY_HOT_UPDATE=yes feature.

Indeed, the debugging code which sends commands to HAProxy was using
_debug even when passing the private key.

This patch fixes the issue by using _secure_debug when doing that.
2025-03-11 12:04:59 +01:00
neil 2728d2aa6e fix format 2024-03-18 21:09:49 +01:00
William Lallemand e09d45c844 haproxy; don't use '*' in the filename for wildcard domain
By default acme.sh uses the '*' character in the filename for wildcard.
That can be confusing within HAProxy since the * character in front of a
filename in the stat socket is used to specified an uncommitted
transaction.

This patch replace the '*' by a '_' in the filename.
This is only done when using the default filename, the name can still be
forced with an asterisk.
2023-12-01 15:35:31 +01:00
William Lallemand 36fc321096 haproxy: use the master CLI for hot update
DEPLOY_HAPROXY_MASTER_CLI allows to use the HAProxy master CLI instead
of a stats socket for DEPLOY_HAPROXY_HOT_UPDATE="yes"

The syntax of the master CLI is slightly different, a prefix with the
process number need to be added before any command.

This patch uses ${_cmdpfx} in front of every socat commands which is
filled when the master CLI is used.
2023-11-30 15:22:51 +01:00
William Lallemand 98a7a01dbb haproxy: deploy script can add a new certificate over the stats socket
DEPLOY_HAPROXY_HOT_UPDATE="yes" now allows to add a new certificate
within HAProxy instead of updating an existing one.

In order to work, the ${DEPLOY_HAPROXY_PEM_PATH} value must be used as a
parameter to the "crt" keyword in the haproxy configuration.

The patch uses the following commands over HAProxy stats socket:
- show ssl cert
- new ssl cert
- set ssl cert
- commit ssl cert
- add ssl crt-list
2023-11-30 14:00:44 +01:00
William Lallemand 0f7be90500 haproxy: deploy script can update existing certificate over stats socket
Since version 2.2, HAProxy is able to update dynamically certificates,
without a reload.

This patch uses socat to push the certificate into HAProxy in order to
achieve hot update. With this method, reloading is not required.
This should be used only to update an existing certificate in haproxy.

2 new variables are available:

- DEPLOY_HAPROXY_HOT_UPDATE="yes" update over the stats socket instead
  of reloading

- DEPLOY_HAPROXY_STATS_SOCKET="UNIX:/run/haproxy/admin.sock" set the path on
  the stats socket.
2023-11-30 14:00:44 +01:00
William Lallemand 7aaf4432d4 haproxy: sanitize the PEM in the deploy script
Sanitize the PEM of the haproxy deploy script by removing the '\n', this
way it could be injected directly over the CLI.
2023-11-30 14:00:41 +01:00
podguzovvasily 8ca5ca6594
Update haproxy.sh
resolved issue with HAProxy https://github.com/acmesh-official/acme.sh/issues/4788
according https://serversforhackers.com/c/letsencrypt-with-haproxy
2023-10-24 16:58:47 +03:00
Glenn Strauss 8419b42e83 use ${ACME_OPENSSL_BIN:-openssl} instead of openssl
(requested by @Neilpang in #3687)
2021-09-30 19:00:39 -04:00
Glenn Strauss c43c711f72 use _getdeployconf instead of sourcing DOMAIN_CONF
(requested by @Neilpang in #3394)

github: closes #3394
2021-09-01 16:37:10 -04:00
Felix Bünemann cf5952f508
fix haproxy deploy hook ocsp update
fixes ocsp reponse update failing with `Responder Error: unauthorized (6)`
by removing `-no_nonce` switch from `openssl oscp` command .
2020-05-02 22:14:21 +02:00
xpac1985 e184a1b9e6
haproxy deploy script now compatible with OpenSSL v1.1+
haproxy deploy script now compatible with OpenSSL v1.1+

The OpenSSL OCSP request for haproxy deployment breaks from OpenSSL v1.1.0 on.
The format of the `-header` option has been changed and does now contain a `=` instead of a whitespace.
Other projects have hit the same issue:
https://github.com/nghttp2/nghttp2/issues/742

This commit determines the OpenSSL/LibreSSL version and then adjusts the request accordingly.
Also removed the duplicate command line and added some more debug output.
2020-02-20 23:28:55 +01:00
neilpang 1a126b700f fix https://github.com/Neilpang/acme.sh/issues/2252 2019-05-08 22:13:33 +08:00
andrewheberle 454c90820d
Actually set reload default 2018-09-28 08:57:13 +08:00
andrewheberle 31d9ba7e02
Change default for reload 2018-09-28 08:45:18 +08:00
andrewheberle 8d348954a7
Whitepspace 2018-05-14 13:22:46 +08:00
andrewheberle 7d19d784df
Update cert suffix for bundles .ocsp generation 2018-05-14 13:16:56 +08:00
andrewheberle 733b4e0a34
Fix Le_Keylength case 2018-05-14 11:26:03 +08:00
andrewheberle 08d29a8342
Fix return from reload 2018-05-14 10:58:46 +08:00
andrewheberle ba20af48d3
Support HAPROXY_DEPLOY_PEM_PATH
Adds compatibility to original haproxy deploy hook while still allowing custom PEM file name (via HAPROXY_DEPLOY_PEM_NAME)
2018-05-10 15:25:28 +08:00
andrewheberle 707e053949
whitespace fixes 2018-05-10 12:18:03 +08:00
andrewheberle c47e67e52c
Fix variable name 2018-05-10 12:06:25 +08:00
andrewheberle 6567bb4c12
Update haproxy deploy hook
Add functionality to add OCSP stapling info (.ocsp file), issuer (.issuer file) and multi-cert bundles (suffix on pem file based on key type).

This also corrects the order of key, certificate and intermediate in the PEM file, which although HAProxy does not seem to care, was incorrect in the prior version.
2018-05-10 11:51:59 +08:00
Daniel Watrous afe5cb588d
update for POSIX compliance 2018-05-04 10:25:54 -05:00
Daniel Watrous e9e999542d
add reload 2018-05-04 10:14:31 -05:00
Daniel Watrous 5f593994c7
remove more whitespace (trying to get TravisCI working) 2018-05-03 12:25:11 -05:00
Daniel Watrous ec73aeba16
remove whitespace 2018-05-03 12:17:26 -05:00
Daniel Watrous 7573e560b6
Add conditional check to ensure path is provided 2018-05-03 10:06:05 -05:00
Daniel Watrous 360dc140ea
implement basic haproxy deploy
HAProxy requires the certificate chain and key to be concatenated and placed somewhere (can be anywhere). This script expects a single environment variable with the path where the concatenated PEM file should be written
2018-05-03 01:28:56 -05:00
neilpang f845b371ce fix format 2017-02-19 20:40:53 +08:00
neilpang 3a1bd3114b add hooks, not implemented yet. 2017-02-19 20:35:32 +08:00