admin/acme.sh/haproxy.sh - haproxy - Gitiles

 #!/usr/bin/env sh

 # Script for acme.sh to deploy certificates to haproxy
 #
 # The following variables can be exported:
 #
 # export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem"
 #
 # Defines the name of the PEM file.
 # Defaults to "<domain>.pem"
 #
 # export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy"
 #
 # Defines location of PEM file for HAProxy.
 # Defaults to /etc/haproxy
 #
 # export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
 #
 # OPTIONAL: Reload command used post deploy
 # This defaults to be a no-op (ie "true").
 # It is strongly recommended to set this something that makes sense
 # for your distro.
 #
 # export DEPLOY_HAPROXY_ISSUER="no"
 #
 # OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer"
 # Note: Required for OCSP stapling to work
 #
 # export DEPLOY_HAPROXY_BUNDLE="no"
 #
 # OPTIONAL: Deploy this certificate as part of a multi-cert bundle
 # This adds a suffix to the certificate based on the certificate type
 # eg RSA certificates will have .rsa as a suffix to the file name
 # HAProxy will load all certificates and provide one or the other
 # depending on client capabilities
 # Note: This functionality requires HAProxy was compiled against
 # a version of OpenSSL that supports this.
 #
 # export DEPLOY_HAPROXY_HOT_UPDATE="yes"
 # export DEPLOY_HAPROXY_STATS_SOCKET="/run/haproxy/admin.sock"
 #
 # OPTIONAL: Deploy the certificate over the HAProxy stats socket without
 # needing to reload HAProxy. Default is "no".
 #
 # Require the socat binary.

 ########  Public functions #####################

 #domain keyfile certfile cafile fullchain
 haproxy_deploy() {
   _cdomain="$1"
   _ckey="$2"
   _ccert="$3"
   _cca="$4"
   _cfullchain="$5"

   # Some defaults
   DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
   DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem"
   DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
   DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
   DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
   DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT="no"
   DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT="/run/haproxy/admin.sock"

   _debug _cdomain "${_cdomain}"
   _debug _ckey "${_ckey}"
   _debug _ccert "${_ccert}"
   _debug _cca "${_cca}"
   _debug _cfullchain "${_cfullchain}"

   # PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_PEM_PATH
   _debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}"
   if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
     Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
     _savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
   elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then
     Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
   fi

   # Ensure PEM_PATH exists
   if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then
     _debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists"
   else
     _err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist"
     return 1
   fi

   # PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_PEM_NAME
   _debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}"
   if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
     Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
     _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
   elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
     Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
   fi

   # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_BUNDLE
   _debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}"
   if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
     Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
     _savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
   elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then
     Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
   fi

   # ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_ISSUER
   _debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}"
   if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
     Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
     _savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
   elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then
     Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
   fi

   # RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_RELOAD
   _debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}"
   if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
     Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
     _savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
   elif [ -z "${Le_Deploy_haproxy_reload}" ]; then
     Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
   fi

   # HOT_UPDATE is optional. If not provided then assume "${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_HOT_UPDATE
   _debug2 DEPLOY_HAPROXY_HOT_UPDATE "${DEPLOY_HAPROXY_HOT_UPDATE}"
   if [ -n "${DEPLOY_HAPROXY_HOT_UPDATE}" ]; then
     Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE}"
     _savedomainconf Le_Deploy_haproxy_hot_update "${Le_Deploy_haproxy_hot_update}"
   elif [ -z "${Le_Deploy_haproxy_hot_update}" ]; then
     Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
   fi

   # STATS_SOCKET is optional. If not provided then assume "${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
   _getdeployconf DEPLOY_HAPROXY_STATS_SOCKET
   _debug2 DEPLOY_HAPROXY_STATS_SOCKET "${DEPLOY_HAPROXY_STATS_SOCKET}"
   if [ -n "${DEPLOY_HAPROXY_STATS_SOCKET}" ]; then
     Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET}"
     _savedomainconf Le_Deploy_haproxy_stats_socket "${Le_Deploy_haproxy_stats_socket}"
   elif [ -z "${Le_Deploy_haproxy_stats_socket}" ]; then
     Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
   fi

   # Set the suffix depending if we are creating a bundle or not
   if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
     _info "Bundle creation requested"
     # Initialise $Le_Keylength if its not already set
     if [ -z "${Le_Keylength}" ]; then
       Le_Keylength=""
     fi
     if _isEccKey "${Le_Keylength}"; then
       _info "ECC key type detected"
       _suffix=".ecdsa"
     else
       _info "RSA key type detected"
       _suffix=".rsa"
     fi
   else
     _suffix=""
   fi
   _debug _suffix "${_suffix}"

   # Set variables for later
   _pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}"
   _issuer="${_pem}.issuer"
   _ocsp="${_pem}.ocsp"
   _reload="${Le_Deploy_haproxy_reload}"
   _statssock="${Le_Deploy_haproxy_stats_socket}"

   _info "Deploying PEM file"
   # Create a temporary PEM file
   _temppem="$(_mktemp)"
   _debug _temppem "${_temppem}"
   cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
   _ret="$?"

   # Check that we could create the temporary file
   if [ "${_ret}" != "0" ]; then
     _err "Error code ${_ret} returned during PEM file creation"
     [ -f "${_temppem}" ] && rm -f "${_temppem}"
     return ${_ret}
   fi

   # Move PEM file into place
   _info "Moving new certificate into place"
   _debug _pem "${_pem}"
   cat "${_temppem}" >"${_pem}"
   _ret=$?

   # Clean up temp file
   [ -f "${_temppem}" ] && rm -f "${_temppem}"

   # Deal with any failure of moving PEM file into place
   if [ "${_ret}" != "0" ]; then
     _err "Error code ${_ret} returned while moving new certificate into place"
     return ${_ret}
   fi

   # Update .issuer file if requested
   if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then
     _info "Updating .issuer file"
     _debug _issuer "${_issuer}"
     cat "${_cca}" >"${_issuer}"
     _ret="$?"

     if [ "${_ret}" != "0" ]; then
       _err "Error code ${_ret} returned while copying issuer/CA certificate into place"
       return ${_ret}
     fi
   else
     [ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
   fi

   # Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
   if [ -z "${Le_OCSP_Staple}" ]; then
     Le_OCSP_Staple="0"
   fi
   if [ "${Le_OCSP_Staple}" = "1" ]; then
     _info "Updating OCSP stapling info"
     _debug _ocsp "${_ocsp}"
     _info "Extracting OCSP URL"
     _ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
     _debug _ocsp_url "${_ocsp_url}"

     # Only process OCSP if URL was present
     if [ "${_ocsp_url}" != "" ]; then
       # Extract the hostname from the OCSP URL
       _info "Extracting OCSP URL"
       _ocsp_host=$(echo "${_ocsp_url}" | cut -d/ -f3)
       _debug _ocsp_host "${_ocsp_host}"

       # Only process the certificate if we have a .issuer file
       if [ -r "${_issuer}" ]; then
         # Check if issuer cert is also a root CA cert
         _subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
         _debug _subjectdn "${_subjectdn}"
         _issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)
         _debug _issuerdn "${_issuerdn}"
         _info "Requesting OCSP response"
         # If the issuer is a CA cert then our command line has "-CAfile" added
         if [ "${_subjectdn}" = "${_issuerdn}" ]; then
           _cafile_argument="-CAfile \"${_issuer}\""
         else
           _cafile_argument=""
         fi
         _debug _cafile_argument "${_cafile_argument}"
         # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
         _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
         _debug _openssl_version "${_openssl_version}"
         _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
         _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
         if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
           _header_sep="="
         else
           _header_sep=" "
         fi
         # Request the OCSP response from the issuer and store it
         _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
           -issuer \"${_issuer}\" \
           -cert \"${_pem}\" \
           -url \"${_ocsp_url}\" \
           -header Host${_header_sep}\"${_ocsp_host}\" \
           -respout \"${_ocsp}\" \
           -verify_other \"${_issuer}\" \
           ${_cafile_argument} \
           | grep -q \"${_pem}: good\""
         _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
         eval "${_openssl_ocsp_cmd}"
         _ret=$?
       else
         # Non fatal: No issuer file was present so no OCSP stapling file created
         _err "OCSP stapling in use but no .issuer file was present"
       fi
     else
       # Non fatal: No OCSP url was found int the certificate
       _err "OCSP update requested but no OCSP URL was found in certificate"
     fi

     # Non fatal: Check return code of openssl command
     if [ "${_ret}" != "0" ]; then
       _err "Updating OCSP stapling failed with return code ${_ret}"
     fi
   else
     # An OCSP file was already present but certificate did not have OCSP extension
     if [ -f "${_ocsp}" ]; then
       _err "OCSP was not requested but .ocsp file exists."
       # Could remove the file at this step, although HAProxy just ignores it in this case
       # rm -f "${_ocsp}" || _err "Problem removing stale .ocsp file"
     fi
   fi

   if [ "${Le_Deploy_haproxy_hot_update}" = "yes" ]; then
     # Update certificate over HAProxy stats socket.
     if _exists socat; then
       # look for the certificate on the stats socket, to chose between updating or creating one
       _socat_cert_cmd="echo 'show ssl cert' | socat ${_statssock} - | grep -q '^${_pem}$'"
       _debug _socat_cert_cmd "${_socat_cert_cmd}"
       eval "${_socat_cert_cmd}"
       _ret=$?
       if [ "${_ret}" != "0" ]; then
         _newcert="1"
         _info "Creating new certificate '${_pem}' over HAProxy stats socket."
         # certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
         _socat_crtlist_show_cmd="echo 'show ssl crt-list' | socat ${_statssock} - | grep -q '^${Le_Deploy_haproxy_pem_path}$'"
         _debug _socat_crtlist_show_cmd "${_socat_crtlist_show_cmd}"
         eval "${_socat_crtlist_show_cmd}"
         _ret=$?
         if [ "${_ret}" != "0" ]; then
           _err "Couldn't find '${Le_Deploy_haproxy_pem_path}' in haproxy 'show ssl crt-list'"
           return "${_ret}"
         fi
         # create a new certificate
         _socat_new_cmd="echo 'new ssl cert ${_pem}' | socat ${_statssock} - | grep -q 'New empty'"
         _debug _socat_new_cmd "${_socat_new_cmd}"
         eval "${_socat_new_cmd}"
         _ret=$?
         if [ "${_ret}" != "0" ]; then
           _err "Couldn't create '${_pem}' in haproxy"
           return "${_ret}"
         fi
       else
         _info "Update existing certificate '${_pem}' over HAProxy stats socket."
       fi
       _socat_cert_set_cmd="echo -e 'set ssl cert ${_pem} <<\n$(cat ${_pem})\n' | socat 'UNIX:${_statssock}' - | grep -q 'Transaction created'"
       _debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
       eval "${_socat_cert_set_cmd}"
       _ret=$?
       if [ "${_ret}" != "0" ]; then
         _err "Can't update '${_pem}' in haproxy"
         return "${_ret}"
       fi
       _socat_cert_commit_cmd="echo 'commit ssl cert ${_pem}' | socat 'UNIX:${_statssock}' - | grep -q '^Success!$'"
       _debug _socat_cert_commit_cmd "${_socat_cert_commit_cmd}"
       eval "${_socat_cert_commit_cmd}"
       _ret=$?
       if [ "${_ret}" != "0" ]; then
         _err "Can't commit '${_pem}' in haproxy"
         return ${_ret}
       fi
       if [ "${_newcert}" = "1" ]; then
        # if this is a new certificate, it needs to be inserted into the crt-list`
         _socat_cert_add_cmd="echo 'add ssl crt-list ${Le_Deploy_haproxy_pem_path} ${_pem}' | socat 'UNIX:${_statssock}' - | grep -q 'Success!'"
         _debug _socat_cert_add_cmd "${_socat_cert_add_cmd}"
         eval "${_socat_cert_add_cmd}"
         _ret=$?
         if [ "${_ret}" != "0" ]; then
           _err "Can't update '${_pem}' in haproxy"
           return "${_ret}"
         fi
       fi
     else
       _err "'socat' is not available, couldn't update over stats socket"
     fi
   else
     # Reload HAProxy
     _debug _reload "${_reload}"
     eval "${_reload}"
     _ret=$?
     if [ "${_ret}" != "0" ]; then
       _err "Error code ${_ret} during reload"
       return ${_ret}
     else
       _info "Reload successful"
     fi
   fi

   return 0
 }
	#!/usr/bin/env sh

	# Script for acme.sh to deploy certificates to haproxy
	#
	# The following variables can be exported:
	#
	# export DEPLOY_HAPROXY_PEM_NAME="${domain}.pem"
	#
	# Defines the name of the PEM file.
	# Defaults to "<domain>.pem"
	#
	# export DEPLOY_HAPROXY_PEM_PATH="/etc/haproxy"
	#
	# Defines location of PEM file for HAProxy.
	# Defaults to /etc/haproxy
	#
	# export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
	#
	# OPTIONAL: Reload command used post deploy
	# This defaults to be a no-op (ie "true").
	# It is strongly recommended to set this something that makes sense
	# for your distro.
	#
	# export DEPLOY_HAPROXY_ISSUER="no"
	#
	# OPTIONAL: Places CA file as "${DEPLOY_HAPROXY_PEM}.issuer"
	# Note: Required for OCSP stapling to work
	#
	# export DEPLOY_HAPROXY_BUNDLE="no"
	#
	# OPTIONAL: Deploy this certificate as part of a multi-cert bundle
	# This adds a suffix to the certificate based on the certificate type
	# eg RSA certificates will have .rsa as a suffix to the file name
	# HAProxy will load all certificates and provide one or the other
	# depending on client capabilities
	# Note: This functionality requires HAProxy was compiled against
	# a version of OpenSSL that supports this.
	#
	# export DEPLOY_HAPROXY_HOT_UPDATE="yes"
	# export DEPLOY_HAPROXY_STATS_SOCKET="/run/haproxy/admin.sock"
	#
	# OPTIONAL: Deploy the certificate over the HAProxy stats socket without
	# needing to reload HAProxy. Default is "no".
	#
	# Require the socat binary.

	######## Public functions #####################

	#domain keyfile certfile cafile fullchain
	haproxy_deploy() {
	_cdomain="$1"
	_ckey="$2"
	_ccert="$3"
	_cca="$4"
	_cfullchain="$5"

	# Some defaults
	DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
	DEPLOY_HAPROXY_PEM_NAME_DEFAULT="${_cdomain}.pem"
	DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
	DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
	DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
	DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT="no"
	DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT="/run/haproxy/admin.sock"

	_debug _cdomain "${_cdomain}"
	_debug _ckey "${_ckey}"
	_debug _ccert "${_ccert}"
	_debug _cca "${_cca}"
	_debug _cfullchain "${_cfullchain}"

	# PEM_PATH is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_PEM_PATH
	_debug2 DEPLOY_HAPROXY_PEM_PATH "${DEPLOY_HAPROXY_PEM_PATH}"
	if [ -n "${DEPLOY_HAPROXY_PEM_PATH}" ]; then
	Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH}"
	_savedomainconf Le_Deploy_haproxy_pem_path "${Le_Deploy_haproxy_pem_path}"
	elif [ -z "${Le_Deploy_haproxy_pem_path}" ]; then
	Le_Deploy_haproxy_pem_path="${DEPLOY_HAPROXY_PEM_PATH_DEFAULT}"
	fi

	# Ensure PEM_PATH exists
	if [ -d "${Le_Deploy_haproxy_pem_path}" ]; then
	_debug "PEM_PATH ${Le_Deploy_haproxy_pem_path} exists"
	else
	_err "PEM_PATH ${Le_Deploy_haproxy_pem_path} does not exist"
	return 1
	fi

	# PEM_NAME is optional. If not provided then assume "${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_PEM_NAME
	_debug2 DEPLOY_HAPROXY_PEM_NAME "${DEPLOY_HAPROXY_PEM_NAME}"
	if [ -n "${DEPLOY_HAPROXY_PEM_NAME}" ]; then
	Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME}"
	_savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
	elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
	Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
	fi

	# BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_BUNDLE
	_debug2 DEPLOY_HAPROXY_BUNDLE "${DEPLOY_HAPROXY_BUNDLE}"
	if [ -n "${DEPLOY_HAPROXY_BUNDLE}" ]; then
	Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE}"
	_savedomainconf Le_Deploy_haproxy_bundle "${Le_Deploy_haproxy_bundle}"
	elif [ -z "${Le_Deploy_haproxy_bundle}" ]; then
	Le_Deploy_haproxy_bundle="${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
	fi

	# ISSUER is optional. If not provided then assume "${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_ISSUER
	_debug2 DEPLOY_HAPROXY_ISSUER "${DEPLOY_HAPROXY_ISSUER}"
	if [ -n "${DEPLOY_HAPROXY_ISSUER}" ]; then
	Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER}"
	_savedomainconf Le_Deploy_haproxy_issuer "${Le_Deploy_haproxy_issuer}"
	elif [ -z "${Le_Deploy_haproxy_issuer}" ]; then
	Le_Deploy_haproxy_issuer="${DEPLOY_HAPROXY_ISSUER_DEFAULT}"
	fi

	# RELOAD is optional. If not provided then assume "${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_RELOAD
	_debug2 DEPLOY_HAPROXY_RELOAD "${DEPLOY_HAPROXY_RELOAD}"
	if [ -n "${DEPLOY_HAPROXY_RELOAD}" ]; then
	Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD}"
	_savedomainconf Le_Deploy_haproxy_reload "${Le_Deploy_haproxy_reload}"
	elif [ -z "${Le_Deploy_haproxy_reload}" ]; then
	Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
	fi

	# HOT_UPDATE is optional. If not provided then assume "${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_HOT_UPDATE
	_debug2 DEPLOY_HAPROXY_HOT_UPDATE "${DEPLOY_HAPROXY_HOT_UPDATE}"
	if [ -n "${DEPLOY_HAPROXY_HOT_UPDATE}" ]; then
	Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE}"
	_savedomainconf Le_Deploy_haproxy_hot_update "${Le_Deploy_haproxy_hot_update}"
	elif [ -z "${Le_Deploy_haproxy_hot_update}" ]; then
	Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
	fi

	# STATS_SOCKET is optional. If not provided then assume "${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
	_getdeployconf DEPLOY_HAPROXY_STATS_SOCKET
	_debug2 DEPLOY_HAPROXY_STATS_SOCKET "${DEPLOY_HAPROXY_STATS_SOCKET}"
	if [ -n "${DEPLOY_HAPROXY_STATS_SOCKET}" ]; then
	Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET}"
	_savedomainconf Le_Deploy_haproxy_stats_socket "${Le_Deploy_haproxy_stats_socket}"
	elif [ -z "${Le_Deploy_haproxy_stats_socket}" ]; then
	Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
	fi

	# Set the suffix depending if we are creating a bundle or not
	if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
	_info "Bundle creation requested"
	# Initialise $Le_Keylength if its not already set
	if [ -z "${Le_Keylength}" ]; then
	Le_Keylength=""
	fi
	if _isEccKey "${Le_Keylength}"; then
	_info "ECC key type detected"
	_suffix=".ecdsa"
	else
	_info "RSA key type detected"
	_suffix=".rsa"
	fi
	else
	_suffix=""
	fi
	_debug _suffix "${_suffix}"

	# Set variables for later
	_pem="${Le_Deploy_haproxy_pem_path}/${Le_Deploy_haproxy_pem_name}${_suffix}"
	_issuer="${_pem}.issuer"
	_ocsp="${_pem}.ocsp"
	_reload="${Le_Deploy_haproxy_reload}"
	_statssock="${Le_Deploy_haproxy_stats_socket}"

	_info "Deploying PEM file"
	# Create a temporary PEM file
	_temppem="$(_mktemp)"
	_debug _temppem "${_temppem}"
	cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
	_ret="$?"

	# Check that we could create the temporary file
	if [ "${_ret}" != "0" ]; then
	_err "Error code ${_ret} returned during PEM file creation"
	[ -f "${_temppem}" ] && rm -f "${_temppem}"
	return ${_ret}
	fi

	# Move PEM file into place
	_info "Moving new certificate into place"
	_debug _pem "${_pem}"
	cat "${_temppem}" >"${_pem}"
	_ret=$?

	# Clean up temp file
	[ -f "${_temppem}" ] && rm -f "${_temppem}"

	# Deal with any failure of moving PEM file into place
	if [ "${_ret}" != "0" ]; then
	_err "Error code ${_ret} returned while moving new certificate into place"
	return ${_ret}
	fi

	# Update .issuer file if requested
	if [ "${Le_Deploy_haproxy_issuer}" = "yes" ]; then
	_info "Updating .issuer file"
	_debug _issuer "${_issuer}"
	cat "${_cca}" >"${_issuer}"
	_ret="$?"

	if [ "${_ret}" != "0" ]; then
	_err "Error code ${_ret} returned while copying issuer/CA certificate into place"
	return ${_ret}
	fi
	else
	[ -f "${_issuer}" ] && _err "Issuer file update not requested but .issuer file exists"
	fi

	# Update .ocsp file if certificate was requested with --ocsp/--ocsp-must-staple option
	if [ -z "${Le_OCSP_Staple}" ]; then
	Le_OCSP_Staple="0"
	fi
	if [ "${Le_OCSP_Staple}" = "1" ]; then
	_info "Updating OCSP stapling info"
	_debug _ocsp "${_ocsp}"
	_info "Extracting OCSP URL"
	_ocsp_url=$(${ACME_OPENSSL_BIN:-openssl} x509 -noout -ocsp_uri -in "${_pem}")
	_debug _ocsp_url "${_ocsp_url}"

	# Only process OCSP if URL was present
	if [ "${_ocsp_url}" != "" ]; then
	# Extract the hostname from the OCSP URL
	_info "Extracting OCSP URL"
	_ocsp_host=$(echo "${_ocsp_url}" \| cut -d/ -f3)
	_debug _ocsp_host "${_ocsp_host}"

	# Only process the certificate if we have a .issuer file
	if [ -r "${_issuer}" ]; then
	# Check if issuer cert is also a root CA cert
	_subjectdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -subject -noout \| cut -d'/' -f2,3,4,5,6,7,8,9,10)
	_debug _subjectdn "${_subjectdn}"
	_issuerdn=$(${ACME_OPENSSL_BIN:-openssl} x509 -in "${_issuer}" -issuer -noout \| cut -d'/' -f2,3,4,5,6,7,8,9,10)
	_debug _issuerdn "${_issuerdn}"
	_info "Requesting OCSP response"
	# If the issuer is a CA cert then our command line has "-CAfile" added
	if [ "${_subjectdn}" = "${_issuerdn}" ]; then
	_cafile_argument="-CAfile \"${_issuer}\""
	else
	_cafile_argument=""
	fi
	_debug _cafile_argument "${_cafile_argument}"
	# if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
	_openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version \| cut -d' ' -f2)
	_debug _openssl_version "${_openssl_version}"
	_openssl_major=$(echo "${_openssl_version}" \| cut -d '.' -f1)
	_openssl_minor=$(echo "${_openssl_version}" \| cut -d '.' -f2)
	if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] \|\| [ "${_openssl_major}" -ge "2" ]; then
	_header_sep="="
	else
	_header_sep=" "
	fi
	# Request the OCSP response from the issuer and store it
	_openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
	-issuer \"${_issuer}\" \
	-cert \"${_pem}\" \
	-url \"${_ocsp_url}\" \
	-header Host${_header_sep}\"${_ocsp_host}\" \
	-respout \"${_ocsp}\" \
	-verify_other \"${_issuer}\" \
	${_cafile_argument} \
	\| grep -q \"${_pem}: good\""
	_debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"
	eval "${_openssl_ocsp_cmd}"
	_ret=$?
	else
	# Non fatal: No issuer file was present so no OCSP stapling file created
	_err "OCSP stapling in use but no .issuer file was present"
	fi
	else
	# Non fatal: No OCSP url was found int the certificate
	_err "OCSP update requested but no OCSP URL was found in certificate"
	fi

	# Non fatal: Check return code of openssl command
	if [ "${_ret}" != "0" ]; then
	_err "Updating OCSP stapling failed with return code ${_ret}"
	fi
	else
	# An OCSP file was already present but certificate did not have OCSP extension
	if [ -f "${_ocsp}" ]; then
	_err "OCSP was not requested but .ocsp file exists."
	# Could remove the file at this step, although HAProxy just ignores it in this case
	# rm -f "${_ocsp}" \|\| _err "Problem removing stale .ocsp file"
	fi
	fi

	if [ "${Le_Deploy_haproxy_hot_update}" = "yes" ]; then
	# Update certificate over HAProxy stats socket.
	if _exists socat; then
	# look for the certificate on the stats socket, to chose between updating or creating one
	_socat_cert_cmd="echo 'show ssl cert' \| socat ${_statssock} - \| grep -q '^${_pem}$'"
	_debug _socat_cert_cmd "${_socat_cert_cmd}"
	eval "${_socat_cert_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_newcert="1"
	_info "Creating new certificate '${_pem}' over HAProxy stats socket."
	# certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
	_socat_crtlist_show_cmd="echo 'show ssl crt-list' \| socat ${_statssock} - \| grep -q '^${Le_Deploy_haproxy_pem_path}$'"
	_debug _socat_crtlist_show_cmd "${_socat_crtlist_show_cmd}"
	eval "${_socat_crtlist_show_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Couldn't find '${Le_Deploy_haproxy_pem_path}' in haproxy 'show ssl crt-list'"
	return "${_ret}"
	fi
	# create a new certificate
	_socat_new_cmd="echo 'new ssl cert ${_pem}' \| socat ${_statssock} - \| grep -q 'New empty'"
	_debug _socat_new_cmd "${_socat_new_cmd}"
	eval "${_socat_new_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Couldn't create '${_pem}' in haproxy"
	return "${_ret}"
	fi
	else
	_info "Update existing certificate '${_pem}' over HAProxy stats socket."
	fi
	_socat_cert_set_cmd="echo -e 'set ssl cert ${_pem} <<\n$(cat ${_pem})\n' \| socat 'UNIX:${_statssock}' - \| grep -q 'Transaction created'"
	_debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
	eval "${_socat_cert_set_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Can't update '${_pem}' in haproxy"
	return "${_ret}"
	fi
	_socat_cert_commit_cmd="echo 'commit ssl cert ${_pem}' \| socat 'UNIX:${_statssock}' - \| grep -q '^Success!$'"
	_debug _socat_cert_commit_cmd "${_socat_cert_commit_cmd}"
	eval "${_socat_cert_commit_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Can't commit '${_pem}' in haproxy"
	return ${_ret}
	fi
	if [ "${_newcert}" = "1" ]; then
	# if this is a new certificate, it needs to be inserted into the crt-list`
	_socat_cert_add_cmd="echo 'add ssl crt-list ${Le_Deploy_haproxy_pem_path} ${_pem}' \| socat 'UNIX:${_statssock}' - \| grep -q 'Success!'"
	_debug _socat_cert_add_cmd "${_socat_cert_add_cmd}"
	eval "${_socat_cert_add_cmd}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Can't update '${_pem}' in haproxy"
	return "${_ret}"
	fi
	fi
	else
	_err "'socat' is not available, couldn't update over stats socket"
	fi
	else
	# Reload HAProxy
	_debug _reload "${_reload}"
	eval "${_reload}"
	_ret=$?
	if [ "${_ret}" != "0" ]; then
	_err "Error code ${_ret} during reload"
	return ${_ret}
	else
	_info "Reload successful"
	fi
	fi

	return 0
	}