cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ecf891ff02790b3a21df7c753ccb211cda5408ea
haproxy-manager-base/scripts/renew-certificates.sh
Josh Knapp ecf891ff02
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 2m11s
Details
Don't abort cert renewal when a single domain fails 
The renewal script was exiting immediately when certbot returned a
non-zero exit code, which happens when ANY cert fails to renew. A
single dead domain (e.g., DNS no longer pointed here) would block
ALL other certificates from being processed and combined for HAProxy.

Now logs the failures but continues to copy/combine successfully
renewed certificates and reload HAProxy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 15:17:15 -07:00

90 lines
2.8 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Certificate Renewal Script for HAProxy Manager
# This script runs certbot renew and copies certificates to HAProxy format
# Configuration
LOG_FILE="${LOG_FILE:-/var/log/haproxy-manager.log}"
ERROR_LOG_FILE="${ERROR_LOG_FILE:-/var/log/haproxy-manager-errors.log}"
DB_FILE="${DB_FILE:-/etc/haproxy/haproxy_config.db}"
SSL_CERTS_DIR="${SSL_CERTS_DIR:-/etc/haproxy/certs}"
# Logging functions
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [INFO] $*" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [ERROR] $*" | tee -a "$LOG_FILE" >> "$ERROR_LOG_FILE"
}
log_info "Starting certificate renewal process"
# Run certbot renewal — don't exit on failure, some certs may have
# renewed successfully even if others failed (e.g., domain no longer
# pointed here). Continue to copy/combine whatever succeeded.
CERTBOT_OUTPUT=$(certbot renew --no-random-sleep-on-renew 2>&1)
CERTBOT_EXIT=$?
if [ $CERTBOT_EXIT -eq 0 ]; then
log_info "Certbot renewal completed successfully"
else
log_error "Certbot renewal had failures (exit code $CERTBOT_EXIT):"
# Log the specific failures
echo "$CERTBOT_OUTPUT" | grep -E "Failed to renew|failure" | while read -r line; do
log_error " $line"
done
log_info "Continuing to process successfully renewed certificates..."
fi
# Copy all certificates to HAProxy format
# Ensure SSL certs directory exists
mkdir -p "$SSL_CERTS_DIR"
# Get all SSL-enabled domains from database
DOMAINS=$(find /etc/letsencrypt/live/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n')
if [ -z "$DOMAINS" ]; then
log_info "No SSL-enabled domains found"
exit 0
fi
# Copy certificates for each domain
UPDATED=0
FAILED=0
while read -r domain; do
CERT_FILE="/etc/letsencrypt/live/${domain}/fullchain.pem"
KEY_FILE="/etc/letsencrypt/live/${domain}/privkey.pem"
COMBINED_FILE="${SSL_CERTS_DIR}/${domain}.pem"
if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
# Combine cert and key into single file for HAProxy
if cat "$CERT_FILE" "$KEY_FILE" > "$COMBINED_FILE"; then
log_info "Updated certificate for $domain"
UPDATED=$((UPDATED + 1))
else
log_error "Failed to combine certificate for $domain"
FAILED=$((FAILED + 1))
fi
else
log_error "Certificate files not found for $domain"
FAILED=$((FAILED + 1))
fi
done <<< "$DOMAINS"
log_info "Certificate update completed: $UPDATED updated, $FAILED failed"
# Reload HAProxy if any certificates were updated
if [ $UPDATED -gt 0 ]; then
if echo "reload" | socat stdio /tmp/haproxy-cli 2>/dev/null; then
log_info "HAProxy reloaded successfully"
else
log_error "Failed to reload HAProxy"
exit 1
fi
fi
log_info "Certificate renewal process completed"
exit 0
Reference in New Issue View Git Blame Copy Permalink