From baed1214f2691b3614a1b2ec78df3ed414202491 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 10 May 2022 15:25:23 -0700 Subject: [PATCH] puppet: Only fix certbot certificates if https is enabled. This is a reprise of c97162e48572, but for the case where certbot certs are no longer in use by way of enabling `http_only` and letting another server handle TLS termination. Fixes: #22034. --- puppet/zulip/manifests/profile/app_frontend.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/puppet/zulip/manifests/profile/app_frontend.pp b/puppet/zulip/manifests/profile/app_frontend.pp index 1a1519273b..42242a4fff 100644 --- a/puppet/zulip/manifests/profile/app_frontend.pp +++ b/puppet/zulip/manifests/profile/app_frontend.pp @@ -60,14 +60,16 @@ class zulip::profile::app_frontend { source => 'puppet:///modules/zulip/letsencrypt/nginx-deploy-hook.sh', require => Package[certbot], } - exec { 'fix-standalone-certbot': - onlyif => @(EOT), - test -L /etc/ssl/certs/zulip.combined-chain.crt && - readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ && - test -d /etc/letsencrypt/renewal && - grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf - | EOT - command => "${::zulip_scripts_path}/lib/fix-standalone-certbot", + if ! $nginx_http_only { + exec { 'fix-standalone-certbot': + onlyif => @(EOT), + test -L /etc/ssl/certs/zulip.combined-chain.crt && + readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ && + test -d /etc/letsencrypt/renewal && + grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf + | EOT + command => "${::zulip_scripts_path}/lib/fix-standalone-certbot", + } } # Restart the server regularly to avoid potential memory leak problems.