site-cookbooks/kosmos-dirsrv/resources/instance.rb

@@ -101,21 +101,25 @@ nsslapd-allow-anonymous-access: off
     include_recipe "kosmos-base::letsencrypt"
 
     dirsrv_hook = <<-EOF
-    #!/usr/bin/env bash
+#!/usr/bin/env bash
 
-    set -e
+set -e
 
-    # Copy the dirsrv certificate and restart the server if it has been renewed
-    # This is necessary because dirsrv uses a different format for the certificates
-    for domain in $RENEWED_DOMAINS; do
-      case $domain in
-      #{new_resource.hostname})
-        openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
-        pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
-        systemctl restart #{service_name}
-        ;;
-      esac
-    done
+# Copy the dirsrv certificate and restart the server if it has been renewed
+# This is necessary because dirsrv uses a different format for the certificates
+for domain in $RENEWED_DOMAINS; do
+  case $domain in
+  #{new_resource.hostname})
+    openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
+    pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
+    # Remove the encryption key entries from the current database.
+    # They will be recreated on restart for the new certificate
+    awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
+    mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
+    systemctl restart #{service_name}
+    ;;
+  esac
+done
     EOF
 
     file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do