haproxytech
diff --git a/‎client-native/events.go‎
Lines changed: 1 addition & 3 deletions b/‎client-native/events.go‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎client-native/events_acme.go‎
Lines changed: 12 additions & 9 deletions b/‎client-native/events_acme.go‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎…/data/container/var/lib/haproxy/dns01.sh‎ ‎…container/usr/local/etc/haproxy/dns01.sh‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/dns01.sh renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/dns01.sh b/‎…/data/container/var/lib/haproxy/dns01.sh‎ ‎…container/usr/local/etc/haproxy/dns01.sh‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/dns01.sh renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/dns01.sh
diff --git a/‎…ta/container/var/lib/haproxy/haproxy.pem‎ ‎…er/usr/local/etc/haproxy/ssl/haproxy.pem‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/haproxy.pem renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/ssl/haproxy.pem b/‎…ta/container/var/lib/haproxy/haproxy.pem‎ ‎…er/usr/local/etc/haproxy/ssl/haproxy.pem‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/haproxy.pem renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/ssl/haproxy.pem
diff --git a/‎…a/container/var/lib/haproxy/haproxy2.pem‎ ‎…r/usr/local/etc/haproxy/ssl/haproxy2.pem‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/haproxy2.pem renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/ssl/haproxy2.pem b/‎…a/container/var/lib/haproxy/haproxy2.pem‎ ‎…r/usr/local/etc/haproxy/ssl/haproxy2.pem‎e2e/tests/runtime_acme/data/container/var/lib/haproxy/haproxy2.pem renamed to e2e/tests/runtime_acme/data/container/usr/local/etc/haproxy/ssl/haproxy2.pem
diff --git a/‎e2e/tests/runtime_acme/data/haproxy.cfg‎
Lines changed: 10 additions & 5 deletions b/‎e2e/tests/runtime_acme/data/haproxy.cfg‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎e2e/tests/runtime_acme/tests.bats‎
Lines changed: 7 additions & 4 deletions b/‎e2e/tests/runtime_acme/tests.bats‎
Lines changed: 7 additions & 4 deletions
@@ -161,7 +161,6 @@ const maxRetryBackoff = 60 * time.Second
 func (h *HAProxyEventListener) listen(ctx context.Context) {
 	defer close(h.done)
 
-	var err error
 	retryAfter := 100 * time.Millisecond
 	loggedDisconnect := false
 
@@ -178,8 +177,7 @@ func (h *HAProxyEventListener) listen(ctx context.Context) {
 		h.mu.Unlock()
 
 		if needsConnect {
-			var el *runtime.EventListener
-			el, err = newHAProxyEventListener(h.rt.SocketPath())
+			el, err := newHAProxyEventListener(h.rt.SocketPath())
 			if err != nil {
 				if !loggedDisconnect {
 					log.Warningf("event listener disconnected, reconnecting: %v", err)
 
@@ -74,25 +74,28 @@ func (h *HAProxyEventListener) handleAcmeNewCertEvent(args string) {
 		return
 	}
 
-	// Do not use the certificate name in args as a storage name.
-	// It could be an alias, or the user could have split keys and certs storage.
+	// The only argument is the certificate name, which could be a "virtual"
+	// name like "@store/www1" in case of a crt-store.
+	crtName := args
 
-	crt, err := h.rt.ShowCertificate(args)
+	// Use "show ssl cert" to get the real filename of the certificate.
+	crt, err := h.rt.ShowCertificate(crtName)
 	if err != nil {
 		log.Errorf("events: acme newcert %s: %s", args, err.Error())
 		return
 	}
 
-	storage, err := h.client.SSLCertStorage()
+	// Use "dump ssl cert" to get the certificate contents in PEM format.
+	// This command only works on sockets with level "admin"!
+	pem, err := h.rt.DumpCertificate(crtName)
 	if err != nil {
-		log.Error(err)
+		log.Errorf("events: acme newcert %s: dump cert: %s", args, err.Error())
 		return
 	}
 
-	// 'dump ssl cert' can only be issued on sockets with level "admin".
-	pem, err := h.rt.DumpCertificate(crt.StorageName)
+	storage, err := h.client.SSLCertStorage()
 	if err != nil {
-		log.Errorf("events: acme newcert %s: dump cert: %s", args, err.Error())
+		log.Errorf("events: acme newcert %s: %s", args, err.Error())
 		return
 	}
 
@@ -115,7 +118,7 @@ func (h *HAProxyEventListener) handleAcmeNewCertEvent(args string) {
 		return
 	}
 
-	log.Debugf("events: OK: acme newcert %s => %s", args, crt.StorageName)
+	log.Debugf("events: OK: acme newcert %s => %s", args, storageName)
 }
 
 // HAProxy needs dpapi to solve a dns-01 challenge.
 
@@ -40,7 +40,7 @@ defaults mydefaults
 
 acme pebble
     directory https://pebble:14000/dir
-    account-key /var/lib/haproxy/acme.account.key
+    account-key /etc/haproxy/ssl/acme.account.key
     contact john.doe@example.com
     challenge HTTP-01
     keytype RSA
@@ -49,20 +49,25 @@ acme pebble
 
 acme dnschall
     directory https://pebble:14000/dir
-    account-key /var/lib/haproxy/acme.account.key
+    account-key /etc/haproxy/ssl/acme.account.key
     contact john.doe@example.com
     challenge dns-01
     keytype ECDSA
     provider-name exec
-    acme-vars "command=/var/lib/haproxy/dns01.sh"
+    acme-vars "command=/etc/haproxy/dns01.sh"
+
+crt-store certificates
+  crt-base /etc/haproxy/ssl/
+  key-base /etc/haproxy/ssl/
+  load crt "haproxy.pem" acme pebble alias "www" domains "dataplaneapi-e2e"
 
 frontend web
     bind *:1080
     bind *:1443 ssl
     http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].%[path,field(-1,/),map(virt@acme)]\n" if { path_beg '/.well-known/acme-challenge/' }
-    ssl-f-use crt "/var/lib/haproxy/haproxy.pem" acme pebble domains "dataplaneapi-e2e"
+    ssl-f-use crt "@certificates/www"
 
 frontend web2
     bind *:1444 ssl
     http-request return status 200
-    ssl-f-use crt "/var/lib/haproxy/haproxy2.pem" acme dnschall domains "dns01.test"
+    ssl-f-use crt "/etc/haproxy/ssl/haproxy2.pem" acme dnschall domains "dns01.test"
@@ -30,7 +30,8 @@ _RUNTIME_ACME_PATH="/services/haproxy/runtime/acme"
 @test "acme_runtime: Renew a certificate" {
     haproxy_version_ge "3.3" || skip
 
-    cert_name="/var/lib/haproxy/haproxy.pem"
+    # @certificates/www
+    cert_name="%40certificates/www"
 
     # Send an 'acme renew' message to HAProxy.
     run dpa_curl PUT "$_RUNTIME_ACME_PATH?certificate=$cert_name"
@@ -53,7 +54,8 @@ _RUNTIME_ACME_PATH="/services/haproxy/runtime/acme"
     timeout=8 elapsed=0 inc=1 found=false
     while ((elapsed < timeout)); do
         sleep $inc && elapsed=$((elapsed + inc))
-        if dpa_docker_exec 'ls -l /etc/haproxy/ssl/haproxy.pem'; then
+        if ! dpa_diff_docker_file /etc/haproxy/ssl/haproxy.pem data/container/usr/local/etc/haproxy/ssl/haproxy.pem
+        then
             found=true
             break
         fi
@@ -64,7 +66,7 @@ _RUNTIME_ACME_PATH="/services/haproxy/runtime/acme"
 @test "acme_runtime: dns-01 challenge" {
     haproxy_version_ge "3.3" || skip
 
-    cert_name="/var/lib/haproxy/haproxy2.pem"
+    cert_name="/etc/haproxy/ssl/haproxy2.pem"
 
     run dpa_curl PUT "$_RUNTIME_ACME_PATH?certificate=$cert_name"
 	assert_success
@@ -74,7 +76,8 @@ _RUNTIME_ACME_PATH="/services/haproxy/runtime/acme"
     timeout=20 elapsed=0 inc=2 found=false
     while ((elapsed < timeout)); do
         sleep $inc && elapsed=$((elapsed + inc))
-        if dpa_docker_exec 'ls -l /etc/haproxy/ssl/haproxy2.pem'; then
+        if ! dpa_diff_docker_file /etc/haproxy/ssl/haproxy2.pem data/container/usr/local/etc/haproxy/ssl/haproxy2.pem
+        then
             found=true
             break
         fi