Deploy tool is not working as expected for HAProxy

[podguzovvasily]

Steps to reproduce

I got the certificate from letsencrypt for HAproxy using the commands:

1. acme.sh --issue -d www.my-domain.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server letsencrypt --log --force --renew
2. DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d www.my-domain.com --deploy-hook haproxy

Everything works, but when I scan the certificate with the ssllabs tool, I see a score of b and the message that "This server's certificate chain is incomplete. Grade capped to B."

It looks like the deploy tool is not working as expected. Please help.

\

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[podguzovvasily]

Upgrade acme.sh --upgrade was successfull

log with --debug 2:

root@HAProxy:~# sudo -u acme -s
acme@HAProxy:/root$ DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d www.basil-student.ru --deploy-hook haproxy --debug 2
[Fri Sep 8 07:47:46 UTC 2023] Lets find script dir.
[Fri Sep 8 07:47:46 UTC 2023] SCRIPT='/usr/local/bin/acme.sh'
[Fri Sep 8 07:47:46 UTC 2023] _script='/usr/local/share/acme.sh/acme.sh'
[Fri Sep 8 07:47:46 UTC 2023] _script_home='/usr/local/share/acme.sh'
[Fri Sep 8 07:47:46 UTC 2023] Using default home:/var/lib/acme/.acme.sh
[Fri Sep 8 07:47:46 UTC 2023] Using config home:/var/lib/acme/.acme.sh
[Fri Sep 8 07:47:46 UTC 2023] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Fri Sep 8 07:47:46 UTC 2023] Running cmd: deploy
[Fri Sep 8 07:47:46 UTC 2023] Using config home:/var/lib/acme/.acme.sh
[Fri Sep 8 07:47:46 UTC 2023] default_acme_server
[Fri Sep 8 07:47:46 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Sep 8 07:47:46 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Sep 8 07:47:46 UTC 2023] _ACME_SERVER_PATH='v2/DV90'
[Fri Sep 8 07:47:46 UTC 2023] The domain 'www.basil-student.ru' seems to have a ECC cert already, lets use ecc cert.
[Fri Sep 8 07:47:46 UTC 2023] DOMAIN_PATH='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc'
[Fri Sep 8 07:47:46 UTC 2023] DOMAIN_CONF='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.conf'
[Fri Sep 8 07:47:46 UTC 2023] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Fri Sep 8 07:47:46 UTC 2023] _cdomain='www.basil-student.ru'
[Fri Sep 8 07:47:46 UTC 2023] _ckey='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.key'
[Fri Sep 8 07:47:46 UTC 2023] _ccert='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/www.basil-student.ru.cer'
[Fri Sep 8 07:47:46 UTC 2023] _cca='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/ca.cer'
[Fri Sep 8 07:47:46 UTC 2023] _cfullchain='/var/lib/acme/.acme.sh/www.basil-student.ru_ecc/fullchain.cer'
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Fri Sep 8 07:47:46 UTC 2023] PEM_PATH /etc/haproxy/certs exists
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_PEM_NAME
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_BUNDLE
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_ISSUER
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_RELOAD
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_HOT_UPDATE='yes'
[Fri Sep 8 07:47:46 UTC 2023] DEPLOY_HAPROXY_STATS_SOCKET='/var/run/haproxy/admin.sock'
[Fri Sep 8 07:47:46 UTC 2023] _suffix
[Fri Sep 8 07:47:46 UTC 2023] Deploying PEM file
[Fri Sep 8 07:47:46 UTC 2023] _temppem='/tmp/tmp.xWna3SWYbt'
[Fri Sep 8 07:47:46 UTC 2023] Moving new certificate into place
[Fri Sep 8 07:47:46 UTC 2023] _pem='/etc/haproxy/certs/www.basil-student.ru.pem'
[Fri Sep 8 07:47:46 UTC 2023] _socat_cert_cmd='echo 'show ssl cert' | socat /var/run/haproxy/admin.sock - | grep -q '^/etc/haproxy/certs/www.basil-student.ru.pem$''
[Fri Sep 8 07:47:46 UTC 2023] Update existing certificate '/etc/haproxy/certs/www.basil-student.ru.pem' over HAProxy stats socket.
[Fri Sep 8 07:47:46 UTC 2023] _socat_cert_set_cmd='echo -e 'set ssl cert /etc/haproxy/certs/www.basil-student.ru.pem <<\n-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKqkk1rZcu4/tD-fYh6SrLX8QBzWyIpRyUhJkgItok6YoAoGCCqGSM49
AwEHoUQDQgAEj7fUB56An-/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5
pJrhobIEtMkTLzltcjGGFmB62kuRK6NJsw==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgISAzj66JRu4kEof8HV5WFLXCYUMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MDcxOTU4NTlaFw0yMzEyMDYxOTU4NThaMB8xHTAbBgNVBAMT
FHd3dy5iYXNpbC1zdHVkZW50LnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
j7fUB56An+/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5pJrhobIEtMkT
LzltcjGGFmB62kuRK6NJs6OCAhcwggITMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7YTHC4vH+mYMqKnErt/6UCkLDaAwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUd3d3LmJhc2lsLXN0dWRlbnQucnUwEwYDVR0gBAwwCjAIBgZngQwB
AgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC3Pvsk35xNunXyOcW6WPRsXfxC
z3qfNcSeHQmBJe20mQAAAYpxcObdAAAEAwBIMEYCIQDTvwFLYf5mGR5ums/lTDp9
HcYXUFLpKJZTMBsghbvrIAIhANpw4vbURKQjTy7HXGO/HJ/Y1xPMXLmb6MHhQjq8
Y4+yAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKcXDnGQAA
BAMARzBFAiAo+XZm+T1RJo7Oi8gtJULkH9woMXSmHh+WvKUPIknACwIhAKqRZP7g
isAo6/3gvjWERnuhe6LpvnVcRl+n0Ix5EskxMA0GCSqGSIb3DQEBCwUAA4IBAQCv
8PzPvzYLWZyGsSM49/pYNnTRxsV9uEvNrBxh8eHDVnzPW/BILUMvv/0uI56GXQsi
PZpoF7eIOC+Ug5faii36e9ALgPjEavodI6b/mgTZjpFy9AazXudaLSFPSAHiWfcj
+Ryn7TPgv97wLInWGQGG8TIHQAxXl86BkWW+mn1iP1IW7vlAotrk5Eiyd6XLKZgS
GReEqU1wUXsiB/4eoMhuPijVXLUYvg8L/4DnqlLKzzkGjhBEwXmAuAxyMRmH2huX
4hrZVdBH0LXOZ0GHyep7BVXp/XDomcxVexOHBb9wC6WE5lpc2GRayEf/i6lWAqDB
WEvzOOrqH9hxJeNeOmRe
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----\n' | socat 'UNIX:/var/run/haproxy/admin.sock' - | grep -q 'Transaction created''
2023/09/08 07:47:46 socat[32371] E write(1, 0x55a1dbf4a000, 683): Broken pipe
[Fri Sep 8 07:47:46 UTC 2023] _socat_cert_commit_cmd='echo 'commit ssl cert /etc/haproxy/certs/www.basil-student.ru.pem' | socat 'UNIX:/var/run/haproxy/admin.sock' - | grep -q '^Success!$''
[Fri Sep 8 07:47:46 UTC 2023] Success

[podguzovvasily]

Yesterday I resolved that. Private key from combined certificate pem file must be at the end of the file, not in start.
https://serversforhackers.com/c/letsencrypt-with-haproxy

[wlallemand]

That's not your problem, your problem is that the haproxy CLI uses an empty line as the end of the payload.
So It will be closed at the first empty line.
It look likes you are using #4581 and not the current acme.sh deploy script, I will update the PR.

[wlallemand]

Just pushed an update to be compatible with this case.

[jhjadmin]

Hi,

for me, the in place deployment of certificate renewals (letsencrypt) is not working anymore (so I think since end of last week). Same error, certificate chain incomplete. After restarting haproxy service, everything works as usual.
This is reproduceable: Just renew certificate (with --force) and deploy without restarting haproxy service > Check ssllabs for incomplete certificate chain > restart haproxy service > check ssllabs for complete certificate chain

acme version: 3.0.7
haproxy version: 2.8.4

[wlallemand]

@jhjadmin what do you mean by "in place" deployment? are you using #4581? what is your acme.sh configuration?

[wlallemand]

The DEPLOY_HAPROXY_HOT_UPDATE and DEPLOY_HAPROXY_STATS_SOCKET variables are not official options of acme.sh, they are part of the mentioned Pull Request.

[jhjadmin]

@jhjadmin what do you mean by "in place" deployment? are you using #4581? what is your acme.sh configuration?

Yes, I mean that PR, so probably this is the wrong place here to discuss. :-)

And I use this as described here: https://www.haproxy.com/blog/haproxy-and-let-s-encrypt

[wlallemand]

@jhjadmin the latest documentation is available here https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh but that's slightly the same. Could you please update the deploy/haproxy.sh file and try again ?

curl https://raw.githubusercontent.com/haproxy/haproxy/master/admin/acme.sh/haproxy.sh > /usr/local/share/acme.sh/deploy/haproxy.sh

Please share your output with --debug 2 (by removing the base64 which contains your private key).

[jhjadmin]

Thank you very much, updating the deploy script seems to work. No restart of haproxy service with complete certificate chain now.

But anyway the output of the deploy command:

[Mo 4. Dez 12:16:47 CET 2023] _is_idn_d='example.org'
[Mo 4. Dez 12:16:47 CET 2023] _idn_temp
[Mo 4. Dez 12:16:47 CET 2023] Lets find script dir.
[Mo 4. Dez 12:16:47 CET 2023] _SCRIPT_='/usr/local/bin/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] _script='/usr/local/share/acme.sh/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] _script_home='/usr/local/share/acme.sh'
[Mo 4. Dez 12:16:47 CET 2023] Using default home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] Using config home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Mo 4. Dez 12:16:47 CET 2023] Running cmd: deploy
[Mo 4. Dez 12:16:47 CET 2023] Using config home:/var/lib/acme/.acme.sh
[Mo 4. Dez 12:16:47 CET 2023] default_acme_server
[Mo 4. Dez 12:16:47 CET 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mo 4. Dez 12:16:47 CET 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Mo 4. Dez 12:16:47 CET 2023] _ACME_SERVER_PATH='v2/DV90'
[Mo 4. Dez 12:16:47 CET 2023] The domain 'example.org' seems to have a ECC cert already, lets use ecc cert.
[Mo 4. Dez 12:16:47 CET 2023] DOMAIN_PATH='/var/lib/acme/.acme.sh/example.org_ecc'
[Mo 4. Dez 12:16:47 CET 2023] DOMAIN_CONF='/var/lib/acme/.acme.sh/example.org_ecc/example.org.conf'
[Mo 4. Dez 12:16:47 CET 2023] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Mo 4. Dez 12:16:47 CET 2023] _cdomain='example.org'
[Mo 4. Dez 12:16:47 CET 2023] _ckey='/var/lib/acme/.acme.sh/example.org_ecc/example.org.key'
[Mo 4. Dez 12:16:47 CET 2023] _ccert='/var/lib/acme/.acme.sh/example.org_ecc/example.org.cer'
[Mo 4. Dez 12:16:48 CET 2023] _cca='/var/lib/acme/.acme.sh/example.org_ecc/ca.cer'
[Mo 4. Dez 12:16:48 CET 2023] _cfullchain='/var/lib/acme/.acme.sh/example.org_ecc/fullchain.cer'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Mo 4. Dez 12:16:48 CET 2023] PEM_PATH /etc/haproxy/certs exists
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_PEM_NAME
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_BUNDLE
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_ISSUER
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_RELOAD
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_HOT_UPDATE='yes'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_STATS_SOCKET='/var/run/haproxy/admin.sock'
[Mo 4. Dez 12:16:48 CET 2023] DEPLOY_HAPROXY_MASTER_CLI
[Mo 4. Dez 12:16:48 CET 2023] _suffix
[Mo 4. Dez 12:16:48 CET 2023] Deploying PEM file
[Mo 4. Dez 12:16:48 CET 2023] _temppem='/tmp/tmp.P20ANk1dDR'
[Mo 4. Dez 12:16:48 CET 2023] Moving new certificate into place
[Mo 4. Dez 12:16:48 CET 2023] _pem='/etc/haproxy/certs/example.org.pem'
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_cmd='echo 'show ssl cert' | socat '/var/run/haproxy/admin.sock' - | grep -q '^/etc/haproxy/certs/example.org.pem$''
[Mo 4. Dez 12:16:48 CET 2023] Update existing certificate '/etc/haproxy/certs/example.org.pem' over HAProxy stats socket.
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_set_cmd='echo -e 'set ssl cert /etc/haproxy/certs/example.org.pem <<\n-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
snip
-----END EC PRIVATE KEY-----\n' | socat '/var/run/haproxy/admin.sock' - | grep -q 'Transaction created''
[Mo 4. Dez 12:16:48 CET 2023] _socat_cert_commit_cmd='echo 'commit ssl cert /etc/haproxy/certs/example.org.pem' | socat '/var/run/haproxy/admin.sock' - | grep -q '^Success!$''
[Mo 4. Dez 12:16:48 CET 2023] Success

[wlallemand]

@jhjadmin okay, thanks, good to know!
@podguzovvasily do you still have problems with your deployment?