Closed Ulrar closed 1 year ago
Out of the box there's no built in way to do it, but you could hack on the udm-le.sh script to cp the certificates it generates to the place(s) you need and run a restart similar to how we restart unifi-os after a deploy.
Hey,
So it's not my best work, especially since any failures generates an invalid file and makes haproxy crash, but it'll do for now :
# diff /mnt/data/udm-le/udm-le.sh old.sh
--- /mnt/data/udm-le/udm-le.sh
+++ old.sh
@@ -7,8 +7,7 @@
# Setup variables for later
DOCKER_VOLUMES="-v ${UDM_LE_PATH}/lego/:/.lego/"
-LEGO_DEF_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
-LEGO_ARGS="${LEGO_DEF_ARGS}"
+LEGO_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
NEW_CERT=""
add_captive() {
@@ -33,26 +32,6 @@
fi
}
-haproxy_certs() {
- for CERT in ${HAPROXY_CERTS}
- do
- LEGO_ARGS="${LEGO_DEF_ARGS}"
- MAIN=""
- for DOMAIN in $(echo $CERT | tr "," "\n")
- do
- LEGO_ARGS="${LEGO_ARGS} -d ${DOMAIN}"
- if [ -z "${MAIN}" ]
- then
- MAIN=$DOMAIN
- fi
- done
- ${PODMAN_CMD} ${LEGO_ARGS} $1
- cat ${UDM_LE_PATH}/lego/certificates/${MAIN}.crt > ${HAPROXY_PATH}/${MAIN}.pem
- cat ${UDM_LE_PATH}/lego/certificates/${MAIN}.key >> ${HAPROXY_PATH}/${MAIN}.pem
- done
- podman restart haproxy
-}
-
# Support alternative DNS resolvers
if [ "${DNS_RESOLVERS}" != "" ]; then
LEGO_ARGS="${LEGO_ARGS} --dns.resolvers ${DNS_RESOLVERS}"
@@ -100,11 +79,11 @@
fi
echo 'Attempting initial certificate generation'
- ${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_cert && haproxy_certs "--accept-tos run" && add_captive && unifi-os restart &>/dev/null
+ ${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_cert && add_captive && unifi-os restart &>/dev/null
;;
renew)
echo 'Attempting certificate renewal'
- ${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && haproxy_certs "renew --days 60"
+ ${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert
if [ "${NEW_CERT}" = "yes" ]; then
add_captive && unifi-os restart &>/dev/null
fi
As long as nothing fails this does the trick perfectly, might try to make it a bit cleaner later. Thanks
I'm going to close this out -- I don't feel that it really falls within the scope of what I think udm-le is for. If you'd like more certificates for use elsewhere on your network, just use lego to generate as many as you want elsewhere as there's effectively no limit to how many you can make.
Hi,
I've just moved my haproxy instance directly on my UDM Pro, using udm-utilities. For now I've copy pasted my certificates directory manually, but I wonder if there's a way to use this udm-le to handle renewing them automatically ?
Basically in addition to generating and installing a certificate for the UDM, it would also need to generate some .pem files in a given directory, and ideally run
prodman restart haproxy
afterwards.Thanks