cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1d22d789b85ce95260ce0e15f1ce16b3327b30a0
haproxy-manager-base/scripts/renew-certificates.sh

88 lines
2.4 KiB
Bash
Raw Normal View History

Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
#!/usr/bin/env bash
# Certificate Renewal Script for HAProxy Manager
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# This script runs certbot renew and copies certificates to HAProxy format
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
set -e
# Configuration
LOG_FILE="${LOG_FILE:-/var/log/haproxy-manager.log}"
ERROR_LOG_FILE="${ERROR_LOG_FILE:-/var/log/haproxy-manager-errors.log}"
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
DB_FILE="${DB_FILE:-/etc/haproxy/haproxy_config.db}"
SSL_CERTS_DIR="${SSL_CERTS_DIR:-/etc/haproxy/certs}"
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
# Logging functions
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [INFO] $*" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [ERROR] $*" | tee -a "$LOG_FILE" >> "$ERROR_LOG_FILE"
}
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
log_info "Starting certificate renewal process"
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Run certbot renewal
if certbot renew --quiet --no-random-sleep-on-renew; then
log_info "Certbot renewal completed"
else
log_error "Certbot renewal failed with exit code $?"
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
exit 1
fi
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Copy all certificates to HAProxy format
if [ ! -f "$DB_FILE" ]; then
log_error "Database file not found at $DB_FILE"
exit 1
fi
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Ensure SSL certs directory exists
mkdir -p "$SSL_CERTS_DIR"
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Get all SSL-enabled domains from database
DOMAINS=$(sqlite3 "$DB_FILE" "SELECT domain FROM domains WHERE ssl_enabled = 1;" 2>/dev/null)
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
if [ -z "$DOMAINS" ]; then
log_info "No SSL-enabled domains found"
exit 0
fi
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Copy certificates for each domain
UPDATED=0
FAILED=0
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
while read -r domain; do
CERT_FILE="/etc/letsencrypt/live/${domain}/fullchain.pem"
KEY_FILE="/etc/letsencrypt/live/${domain}/privkey.pem"
COMBINED_FILE="${SSL_CERTS_DIR}/${domain}.pem"
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
# Combine cert and key into single file for HAProxy
if cat "$CERT_FILE" "$KEY_FILE" > "$COMBINED_FILE"; then
log_info "Updated certificate for $domain"
UPDATED=$((UPDATED + 1))
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
else
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
log_error "Failed to combine certificate for $domain"
FAILED=$((FAILED + 1))
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
fi
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
else
log_error "Certificate files not found for $domain"
FAILED=$((FAILED + 1))
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
fi
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
done <<< "$DOMAINS"
Fix certificate renewal to properly update HAProxy combined certificate files After certbot renews certificates, the separate fullchain.pem and privkey.pem files must be combined into a single .pem file for HAProxy. The renewal script was missing this critical step, causing HAProxy to continue using old certificates. Changes: - Add update_combined_certificates() function to renew-certificates.sh - Query database for all SSL-enabled domains - Combine Let's Encrypt cert + key files using cat (matches haproxy_manager.py pattern) - Always update combined certs after renewal, even if certbot says no renewal needed - Add new sync-certificates.sh script for syncing all existing certificates - Smart update detection in sync script (only updates when source is newer) This ensures HAProxy always gets properly formatted certificate files after renewal. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 20:10:58 -08:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
log_info "Certificate update completed: $UPDATED updated, $FAILED failed"
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
# Reload HAProxy if any certificates were updated
if [ $UPDATED -gt 0 ]; then
if echo "reload" | socat stdio /tmp/haproxy-cli 2>/dev/null; then
log_info "HAProxy reloaded successfully"
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
else
Simplify certificate renewal scripts and add certbot cleanup Simplified all certificate renewal scripts to be more straightforward and reliable: - Scripts now just run certbot renew and copy cert+key files to HAProxy format - Removed overly complex retry logic and error handling - Both in-container and host-side scripts work with cron scheduling Added automatic certbot cleanup when domains are removed: - When a domain is deleted via API, certbot certificate is also removed - Prevents renewal errors for domains that no longer exist in HAProxy - Cleans up both HAProxy combined cert and Let's Encrypt certificate Script changes: - renew-certificates.sh: Simplified to 87 lines (from 215) - sync-certificates.sh: Simplified to 79 lines (from 200+) - host-renew-certificates.sh: Simplified to 36 lines (from 40) - All scripts use same pattern: query DB, copy certs, reload HAProxy Python changes: - remove_domain() now calls 'certbot delete' to remove certificates - Prevents orphaned certificates from causing renewal failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 09:56:56 -08:00
log_error "Failed to reload HAProxy"
exit 1
Fix certificate renewal cron job and add host-side scheduling - Fixed crontab permissions (600) and ownership for proper cron execution - Added PATH environment variable to crontab to prevent command not found issues - Created dedicated renewal script with comprehensive logging and error handling - Added retry logic (3 attempts) for HAProxy reload with socket health checks - Implemented host-side renewal script for external cron scheduling via docker exec - Added crontab configuration examples for various renewal schedules - Updated README with detailed certificate renewal documentation This resolves issues where the cron job would not run or hang during execution. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-28 17:36:48 -07:00
fi
fi
log_info "Certificate renewal process completed"
exit 0
Reference in New Issue Copy Permalink