[letsencrypt] Avoid rendering empty --key-type argument

keuko · Alex-Welsh · commit 80bfcaae5679 · 2025-09-22T10:06:38.000+01:00
The `--key-type` argument was always rendered in the command, even if the `letsencrypt_key_type` variable was empty. This caused the command to fail due to an invalid empty argument. The template now checks if `letsencrypt_key_type` has a non-zero length before including `--key-type`, ensuring correct rendering of the script. Change-Id: I66a76fc8d27bcc97cd3133eed137fd46ea599511 (cherry picked from commit 11d889d) Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2
@@ -4,11 +4,44 @@
 
 {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %}
 # External Certificates
-/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} --key-type {{ letsencrypt_key_type }} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates \
+  --external \
+  --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} \
+  --days {{ letsencrypt_cert_valid_days }} \
+  --port {{ letsencrypt_webserver_port }} \
+  --mail {{ letsencrypt_email }} \
+  --acme {{ letsencrypt_external_cert_server }} \
+  --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} \
+  --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} \
+  {% if letsencrypt_external_account_binding | bool %}
+    --eab \
+    --hmac {{ letsencrypt_eab_hmac }} \
+    --kid {{ letsencrypt_eab_key_id }} \
+  {% endif %}
+  {% if letsencrypt_key_type | length > 0 %}
+    --key-type {{ letsencrypt_key_type }} \
+  {% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
+
 {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %}
 # Internal Certificates
-/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %}{% if letsencrypt_key_type | length > 0 %} --key-type {{ letsencrypt_key_type }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates \
+  --internal \
+  --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} \
+  --days {{ letsencrypt_cert_valid_days }} \
+  --port {{ letsencrypt_webserver_port }} \
+  --mail {{ letsencrypt_email }} \
+  --acme {{ letsencrypt_internal_cert_server }} \
+  --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} \
+  --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} \
+  {% if letsencrypt_external_account_binding | bool %}
+    --eab \
+    --hmac {{ letsencrypt_eab_hmac }} \
+    --kid {{ letsencrypt_eab_key_id }} \
+  {% endif %}
+  {% if letsencrypt_key_type | length > 0 %}
+    --key-type {{ letsencrypt_key_type }} \
+  {% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
 
 {{ cron_cmd }}
diff --git a/releasenotes/notes/bug-2115230-4220523768ff2685.yaml b/releasenotes/notes/bug-2115230-4220523768ff2685.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed certificate script rendering in Let's Encrypt role.
+    `LP#2115230 <https://bugs.launchpad.net/kolla-ansible/+bug/2115230>`__

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    Fixed certificate script rendering in Let's Encrypt role.
 +    `LP#2115230 <https://bugs.launchpad.net/kolla-ansible/+bug/2115230>`__