Deploy tool is not working as expected for HAProxy

[podguzovvasily]

Steps to reproduce

I got the certificate from letsencrypt for HAproxy using the commands:

1. acme.sh --issue -d www.my-domain.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server letsencrypt --log --force --renew
2. DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d www.my-domain.com --deploy-hook haproxy

Everything works, but when I scan the certificate with the ssllabs tool, I see a score of b and the message that "This server's certificate chain is incomplete. Grade capped to B."

It looks like the deploy tool is not working as expected. Please help.

\

[github-actions[bot]]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[podguzovvasily]

Upgrade acme.sh --upgrade was successfull

log with --debug 2:

root@HAProxy:~# sudo -u acme -s acme@HAProxy:/root$ DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d www.basil-student.ru --deploy-hook haproxy --debug 2 [Fri Sep 8 07:47:46 UTC 2023] Lets find script dir. [Fri Sep 8 07:47:46 UTC 2023] SCRIPT='/usr/local/bin/acme.sh' [Fri Sep 8 07:47:46 UTC 2023] _script='/usr/local/share/acme.sh/acme.sh' [Fri Sep 8 07:47:46 UTC 2023] _script_home='/usr/local/share/acme.sh' [Fri Sep 8 07:47:46 UTC 2023] Using default home:/var/lib/acme/.acme.sh [Fri Sep 8 07:47:46 UTC 2023] Using config home:/var/lib/acme/.acme.sh [Fri Sep 8 07:47:46 UTC 2023] LE_WORKING_DIR='/var/lib/acme/.acme.sh' https://github.com/acmesh-official/acme.sh v3.0.7 [Fri Sep 8 07:47:46 UTC 2023] Running cmd: deploy [Fri Sep 8 07:47:46 UTC 2023] Using config home:/var/lib/acme/.acme.sh [Fri Sep 8 07:47:46 UTC 2023] default_acme_server [Fri Sep 8 07:47:46 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Fri Sep 8 07:47:46 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com' [Fri Sep 8 07:47:46 UTC 2023] _ACME_SERVER_PATH='v2/DV90' [Fri Sep 8 07:47:46 UTC 2023] The domain 'www.basil-student.ru' seems to have a ECC cert already, lets use ecc cert. [Fri Sep 8 07:47:46 UTC 2023] DOMAIN_PATH='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc' [Fri Sep 8 07:47:46 UTC 2023] DOMAIN_CONF='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.conf' [Fri Sep 8 07:47:46 UTC 2023] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh' [Fri Sep 8 07:47:46 UTC 2023] _cdomain='www.basil-student.ru' [Fri Sep 8 07:47:46 UTC 2023] _ckey='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.key' [Fri Sep 8 07:47:46 UTC 2023] _ccert='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.cer' [Fri Sep 8 07:47:46 UTC 2023] _cca='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/ca.cer' [Fri Sep 8 07:47:46 UTC 2023] _cfullchain='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/fullchain.cer' [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs' [Fri Sep 8 07:47:46 UTC 2023] PEM_PATH /etc/haproxy/certs exists [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_PEM_NAME [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_BUNDLE [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_ISSUER [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_RELOAD [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_HOT_UPDATE='yes' [Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_STATS_SOCKET='/var/run/haproxy/admin.sock' [Fri Sep 8 07:47:46 UTC 2023] _suffix [Fri Sep 8 07:47:46 UTC 2023] Deploying PEM file [Fri Sep 8 07:47:46 UTC 2023] _temppem='/tmp/tmp.xWna3SWYbt' [Fri Sep 8 07:47:46 UTC 2023] Moving new certificate into place [Fri Sep 8 07:47:46 UTC 2023] _pem='/etc/haproxy/certs/www.basil-student.ru.pem' [Fri Sep 8 07:47:46 UTC 2023] _socat_cert_cmd='echo 'show ssl cert' | socat /var/run/haproxy/admin.sock - | grep -q '^/etc/haproxy/certs/www.basil-student.ru.pem$'' [Fri Sep 8 07:47:46 UTC 2023] Update existing certificate '/etc/haproxy/certs/www.basil-student.ru.pem' over HAProxy stats socket. [Fri Sep 8 07:47:46 UTC 2023] _socat_cert_set_cmd='echo -e 'set ssl cert /etc/haproxy/certs/www.basil-student.ru.pem <<\n-----BEGIN EC PRIVATE KEY----- MHcCAQEEIKqkk1rZcu4/tD-fYh6SrLX8QBzWyIpRyUhJkgItok6YoAoGCCqGSM49 AwEHoUQDQgAEj7fUB56An-/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5 pJrhobIEtMkTLzltcjGGFmB62kuRK6NJsw== -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEKzCCAxOgAwIBAgISAzj66JRu4kEof8HV5WFLXCYUMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzA5MDcxOTU4NTlaFw0yMzEyMDYxOTU4NThaMB8xHTAbBgNVBAMT FHd3dy5iYXNpbC1zdHVkZW50LnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE j7fUB56An+/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5pJrhobIEtMkT LzltcjGGFmB62kuRK6NJs6OCAhcwggITMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU 7YTHC4vH+mYMqKnErt/6UCkLDaAwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD VR0RBBgwFoIUd3d3LmJhc2lsLXN0dWRlbnQucnUwEwYDVR0gBAwwCjAIBgZngQwB AgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC3Pvsk35xNunXyOcW6WPRsXfxC z3qfNcSeHQmBJe20mQAAAYpxcObdAAAEAwBIMEYCIQDTvwFLYf5mGR5ums/lTDp9 HcYXUFLpKJZTMBsghbvrIAIhANpw4vbURKQjTy7HXGO/HJ/Y1xPMXLmb6MHhQjq8 Y4+yAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKcXDnGQAA BAMARzBFAiAo+XZm+T1RJo7Oi8gtJULkH9woMXSmHh+WvKUPIknACwIhAKqRZP7g isAo6/3gvjWERnuhe6LpvnVcRl+n0Ix5EskxMA0GCSqGSIb3DQEBCwUAA4IBAQCv 8PzPvzYLWZyGsSM49/pYNnTRxsV9uEvNrBxh8eHDVnzPW/BILUMvv/0uI56GXQsi PZpoF7eIOC+Ug5faii36e9ALgPjEavodI6b/mgTZjpFy9AazXudaLSFPSAHiWfcj +Ryn7TPgv97wLInWGQGG8TIHQAxXl86BkWW+mn1iP1IW7vlAotrk5Eiyd6XLKZgS GReEqU1wUXsiB/4eoMhuPijVXLUYvg8L/4DnqlLKzzkGjhBEwXmAuAxyMRmH2huX 4hrZVdBH0LXOZ0GHyep7BVXp/XDomcxVexOHBb9wC6WE5lpc2GRayEf/i6lWAqDB WEvzOOrqH9hxJeNeOmRe -----END CERTIFICATE-----

-----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE-----

-----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE-----\n' | socat 'UNIX:/var/run/haproxy/admin.sock' - | grep -q 'Transaction created'' 2023/09/08 07:47:46 socat[32371] E write(1, 0x55a1dbf4a000, 683): Broken pipe [Fri Sep 8 07:47:46 UTC 2023] _socat_cert_commit_cmd='echo 'commit ssl cert /etc/haproxy/certs/www.basil-student.ru.pem' | socat 'UNIX:/var/run/haproxy/admin.sock' - | grep -q '^Success!$'' [Fri Sep 8 07:47:46 UTC 2023] Success

[podguzovvasily]

Yesterday I resolved that. Private key from combined certificate pem file must be at the end of the file, not in start. https://serversforhackers.com/c/letsencrypt-with-haproxy

[wlallemand]

That's not your problem, your problem is that the haproxy CLI uses an empty line as the end of the payload. So It will be closed at the first empty line. It look likes you are using https://github.com/acmesh-official/acme.sh/pull/4581 and not the current acme.sh deploy script, I will update the PR.

[wlallemand]

Just pushed an update to be compatible with this case.

[jhjadmin]

Hi,

for me, the in place deployment of certificate renewals (letsencrypt) is not working anymore (so I think since end of last week). Same error, certificate chain incomplete. After restarting haproxy service, everything works as usual. This is reproduceable: Just renew certificate (with --force) and deploy without restarting haproxy service > Check ssllabs for incomplete certificate chain > restart haproxy service > check ssllabs for complete certificate chain

acme version: 3.0.7 haproxy version: 2.8.4

[wlallemand]

@jhjadmin what do you mean by "in place" deployment? are you using #4581? what is your acme.sh configuration?

[wlallemand]

The DEPLOY_HAPROXY_HOT_UPDATE and DEPLOY_HAPROXY_STATS_SOCKET variables are not official options of acme.sh, they are part of the mentioned Pull Request.

[jhjadmin]

@jhjadmin what do you mean by "in place" deployment? are you using #4581? what is your acme.sh configuration?

Yes, I mean that PR, so probably this is the wrong place here to discuss. :-)

And I use this as described here: https://www.haproxy.com/blog/haproxy-and-let-s-encrypt

[wlallemand]

@jhjadmin the latest documentation is available here https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh but that's slightly the same. Could you please update the deploy/haproxy.sh file and try again ?

curl https://raw.githubusercontent.com/haproxy/haproxy/master/admin/acme.sh/haproxy.sh > /usr/local/share/acme.sh/deploy/haproxy.sh

Please share your output with --debug 2 (by removing the base64 which contains your private key).

[jhjadmin]

Thank you very much, updating the deploy script seems to work. No restart of haproxy service with complete certificate chain now.

But anyway the output of the deploy command:

[Mo 4. Dez 12:16:47 CET 2023] _is_idn_d='example.org'
[Mo 4. Dez 12:16:47 CET 2023] _idn_temp
[Mo 4. Dez 12:16:47 CET 2023] Lets find script dir.
[Mo 4. Dez 12:16:47 CET 2023] _SCRIPT_='/usr/local/bin/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] _script='/usr/local/share/acme.sh/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] _script_home='/usr/local/share/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] Using default home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] Using config home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Mo 4. Dez 12:16:47 CET 2023] Running cmd: deploy
[Mo 4. Dez 12:16:47 CET 2023] Using config home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] default_acme_server
[Mo 4. Dez 12:16:47 CET 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mo 4. Dez 12:16:47 CET 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Mo 4. Dez 12:16:47 CET 2023] _ACME_SERVER_PATH='v2/DV90'
[Mo 4. Dez 12:16:47 CET 2023] The domain 'example.org' seems to have a ECC cert already, lets use ecc cert.
[Mo 4. Dez 12:16:47 CET 2023] DOMAIN_PATH='/var/lib/acme/.acme.sh/example.org_ecc'
[Mo 4. Dez 12:16:47 CET 2023] DOMAIN_CONF='/var/lib/acme/.acme.sh/example.org_ecc/example.org.conf'
[Mo 4. Dez 12:16:47 CET 2023] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Mo 4. Dez 12:16:47 CET 2023] _cdomain='example.org'
[Mo 4. Dez 12:16:47 CET 2023] _ckey='/var/lib/acme/.acme.sh/example.org_ecc/example.org.key'
[Mo 4. Dez 12:16:47 CET 2023] _ccert='/var/lib/acme/.acme.sh/example.org_ecc/example.org.cer'
[Mo 4. Dez 12:16:48 CET 2023] _cca='/var/lib/acme/.acme.sh/example.org_ecc/ca.cer'
[Mo 4. Dez 12:16:48 CET 2023] _cfullchain='/var/lib/acme/.acme.sh/example.org_ecc/fullchain.cer'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Mo 4. Dez 12:16:48 CET 2023] PEM_PATH /etc/haproxy/certs exists
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_PEM_NAME
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_BUNDLE
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_ISSUER
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_RELOAD
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_HOT_UPDATE='yes'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_STATS_SOCKET='/var/run/haproxy/admin.sock'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_MASTER_CLI
[Mo 4. Dez 12:16:48 CET 2023] _suffix
[Mo 4. Dez 12:16:48 CET 2023] Deploying PEM file
[Mo 4. Dez 12:16:48 CET 2023] _temppem='/tmp/tmp.P20ANk1dDR'
[Mo 4. Dez 12:16:48 CET 2023] Moving new certificate into place
[Mo 4. Dez 12:16:48 CET 2023] _pem='/etc/haproxy/certs/example.org.pem'
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_cmd='echo 'show ssl cert' | socat '/var/run/haproxy/admin.sock' - | grep -q '^/etc/haproxy/certs/example.org.pem$''
[Mo 4. Dez 12:16:48 CET 2023] Update existing certificate '/etc/haproxy/certs/example.org.pem' over HAProxy stats socket.
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_set_cmd='echo -e 'set ssl cert /etc/haproxy/certs/example.org.pem <<\n-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
snip
-----END EC PRIVATE KEY-----\n' | socat '/var/run/haproxy/admin.sock' - | grep -q 'Transaction created''
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_commit_cmd='echo 'commit ssl cert /etc/haproxy/certs/example.org.pem' | socat '/var/run/haproxy/admin.sock' - | grep -q '^Success!$''
[Mo 4. Dez 12:16:48 CET 2023] Success

[wlallemand]

@jhjadmin okay, thanks, good to know! @podguzovvasily do you still have problems with your deployment?