Fix StrongSwan CRL handler for fresh installs

The root cause: rereadcrls handler is notified when copying CRL files during certificate generation, which happens BEFORE StrongSwan is installed and started on fresh installs. The fix: 1. Check if StrongSwan service is actually running before attempting CRL reload 2. If not running, skip reload (not needed - StrongSwan will load CRLs on start) 3. If running, attempt reload with retries This handles both scenarios: - Fresh install: StrongSwan not yet running, skip reload - Updates: StrongSwan running, reload CRLs properly Also removed the wait_for port 500 which was failing because StrongSwan doesn't bind to localhost. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-06 21:57:59 -07:00 · 2025-08-06 21:57:59 -07:00 · b7b2ee552b
commit b7b2ee552b
parent 4479c0318a
1 changed files with 24 additions and 17 deletions
--- a/roles/strongswan/handlers/main.yml
+++ b/roles/strongswan/handlers/main.yml
@ -1,15 +1,6 @@
 ---
 - name: restart strongswan
  service: name={{ strongswan_service }} state=restarted
-  notify: wait for strongswan
-
- name: wait for strongswan
-  wait_for:
-    port: 500
-    host: 127.0.0.1
-    delay: 2
-    timeout: 30
-    state: started

 - name: daemon-reload
  systemd: daemon_reload=true
@ -18,12 +9,28 @@
  service: name=apparmor state=restarted

 - name: rereadcrls
-  command: ipsec rereadcrls
-  register: rereadcrls_result
-  retries: 3
-  delay: 2
-  until: rereadcrls_result.rc == 0
-  notify: purgecrls
+  shell: |
+    # Check if StrongSwan is actually running
+    if ! systemctl is-active --quiet strongswan-starter 2>/dev/null && \
+       ! systemctl is-active --quiet strongswan 2>/dev/null && \
+       ! service strongswan status >/dev/null 2>&1; then
+      echo "StrongSwan is not running, skipping CRL reload"
+      exit 0
+    fi

- name: purgecrls
-  command: ipsec purgecrls
+    # StrongSwan is running, wait a moment for it to stabilize
+    sleep 2
+
+    # Try to reload CRLs with retries
+    for attempt in 1 2 3; do
+      if ipsec rereadcrls 2>/dev/null && ipsec purgecrls 2>/dev/null; then
+        echo "Successfully reloaded CRLs"
+        exit 0
+      fi
+      echo "Attempt $attempt failed, retrying..."
+      sleep 2
+    done
+
+    # If StrongSwan is running but we can't reload CRLs, that's a real problem
+    echo "Failed to reload CRLs after 3 attempts"
+    exit 1