mirror of https://github.com/zulip/zulip.git
puppet: Only fix certbot certificates if https is enabled.
This is a reprise of c97162e485
, but for the case where certbot
certs are no longer in use by way of enabling `http_only` and letting
another server handle TLS termination.
Fixes: #22034.
This commit is contained in:
parent
62f234328d
commit
baed1214f2
|
@ -60,14 +60,16 @@ class zulip::profile::app_frontend {
|
||||||
source => 'puppet:///modules/zulip/letsencrypt/nginx-deploy-hook.sh',
|
source => 'puppet:///modules/zulip/letsencrypt/nginx-deploy-hook.sh',
|
||||||
require => Package[certbot],
|
require => Package[certbot],
|
||||||
}
|
}
|
||||||
exec { 'fix-standalone-certbot':
|
if ! $nginx_http_only {
|
||||||
onlyif => @(EOT),
|
exec { 'fix-standalone-certbot':
|
||||||
test -L /etc/ssl/certs/zulip.combined-chain.crt &&
|
onlyif => @(EOT),
|
||||||
readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ &&
|
test -L /etc/ssl/certs/zulip.combined-chain.crt &&
|
||||||
test -d /etc/letsencrypt/renewal &&
|
readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ &&
|
||||||
grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf
|
test -d /etc/letsencrypt/renewal &&
|
||||||
| EOT
|
grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf
|
||||||
command => "${::zulip_scripts_path}/lib/fix-standalone-certbot",
|
| EOT
|
||||||
|
command => "${::zulip_scripts_path}/lib/fix-standalone-certbot",
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Restart the server regularly to avoid potential memory leak problems.
|
# Restart the server regularly to avoid potential memory leak problems.
|
||||||
|
|
Loading…
Reference in New Issue