As follow-up to this previous post on using HAProxy and Let’s Encrypt I’d had on my todo list for awhile to perform the certificate reload a little bit better than in a /usr/local/bin/reload-cert.sh script:

#! /bin/sh
# TODO: Really, this should be a /etc/rc.d reload script
cat /usr/pkg/etc/letsencrypt/live/atomicules.co.uk/fullchain.pem /usr/pkg/etc/letsencrypt/live/atomicules.co.uk/privkey.pem > /usr/pkg/etc/haproxy.crt
export conf_file=/usr/pkg/etc/haproxy.cfg
export pid_file=/usr/pkg/etc/haproxy.pid
haproxy -f $conf_file -sf $(cat $pid_file) -p $pid_file -D

Look! It even says in it what I wanted to do. This is one of those things that was actually pretty straight-forward to do, but perceived difficultly put me off doing it until now.

It was just a matter of adding the extra commands to extra_commands:

extra_commands="configtest reload reloadcert"

(configtest was already there). And then adding a mapping for those just afterwards:

reload_cmd="haproxy_reload"
reloadcert_cmd="haproxy_reloadcert"

Then a bit further down in the file adding the commands themselves:

haproxy_reload()
{
	if [ ! -f ${conf_file} ]; then
		warn "${conf_file} does not exist."
		return 1;
	fi
	echo "Reloading config for haproxy"
	${command} -f ${conf_file} -sf $(cat $pid_file) -p ${pid_file} -D
}

haproxy_reloadcert()
{
	if [ ! -f ${conf_file} ]; then
		warn "${conf_file} does not exist."
		return 1;
	fi
	echo "Reloading cert for haproxy"
	cat /usr/pkg/etc/letsencrypt/live/atomicules.co.uk/fullchain.pem /usr/pkg/etc/letsencrypt/live/atomicules.co.uk/privkey.pem > /usr/pkg/etc/haproxy.crt
	${command} -f ${conf_file} -sf $(cat $pid_file) -p ${pid_file} -D
}

The haproxy_reloadcert should really take arguments from rc.conf rather than me hardcoding my certificate paths in, but since this is “just for me” I can get away with being lazy. It’s ultimately doing the exact same thing as the reload-cert.sh script was doing, but just in the right place now. Then the certbot --renew-hook becomes:

-renew-hook "/etc/rc.d/haproxy reloadcert"

Easy when you can be bothered.

Please, please never go away rc.d