diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb index 0ef689b..de6b6fd 100644 --- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb +++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb @@ -101,21 +101,25 @@ nsslapd-allow-anonymous-access: off include_recipe "kosmos-base::letsencrypt" dirsrv_hook = <<-EOF - #!/usr/bin/env bash +#!/usr/bin/env bash - set -e +set -e - # Copy the dirsrv certificate and restart the server if it has been renewed - # This is necessary because dirsrv uses a different format for the certificates - for domain in $RENEWED_DOMAINS; do - case $domain in - #{new_resource.hostname}) - openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass: - pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W '' - systemctl restart #{service_name} - ;; - esac - done +# Copy the dirsrv certificate and restart the server if it has been renewed +# This is necessary because dirsrv uses a different format for the certificates +for domain in $RENEWED_DOMAINS; do + case $domain in + #{new_resource.hostname}) + openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass: + pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W '' + # Remove the encryption key entries from the current database. + # They will be recreated on restart for the new certificate + awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif + mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif + systemctl restart #{service_name} + ;; + esac +done EOF file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do