From b7b2ee552b1722bea04ced1eb9925c2cc384b401 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Wed, 6 Aug 2025 21:57:59 -0700 Subject: [PATCH] Fix StrongSwan CRL handler for fresh installs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The root cause: rereadcrls handler is notified when copying CRL files during certificate generation, which happens BEFORE StrongSwan is installed and started on fresh installs. The fix: 1. Check if StrongSwan service is actually running before attempting CRL reload 2. If not running, skip reload (not needed - StrongSwan will load CRLs on start) 3. If running, attempt reload with retries This handles both scenarios: - Fresh install: StrongSwan not yet running, skip reload - Updates: StrongSwan running, reload CRLs properly Also removed the wait_for port 500 which was failing because StrongSwan doesn't bind to localhost. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- roles/strongswan/handlers/main.yml | 41 +++++++++++++++++------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/roles/strongswan/handlers/main.yml b/roles/strongswan/handlers/main.yml index 462a9256..ba3e1807 100644 --- a/roles/strongswan/handlers/main.yml +++ b/roles/strongswan/handlers/main.yml @@ -1,15 +1,6 @@ --- - name: restart strongswan service: name={{ strongswan_service }} state=restarted - notify: wait for strongswan - -- name: wait for strongswan - wait_for: - port: 500 - host: 127.0.0.1 - delay: 2 - timeout: 30 - state: started - name: daemon-reload systemd: daemon_reload=true @@ -18,12 +9,28 @@ service: name=apparmor state=restarted - name: rereadcrls - command: ipsec rereadcrls - register: rereadcrls_result - retries: 3 - delay: 2 - until: rereadcrls_result.rc == 0 - notify: purgecrls + shell: | + # Check if StrongSwan is actually running + if ! systemctl is-active --quiet strongswan-starter 2>/dev/null && \ + ! systemctl is-active --quiet strongswan 2>/dev/null && \ + ! service strongswan status >/dev/null 2>&1; then + echo "StrongSwan is not running, skipping CRL reload" + exit 0 + fi -- name: purgecrls - command: ipsec purgecrls + # StrongSwan is running, wait a moment for it to stabilize + sleep 2 + + # Try to reload CRLs with retries + for attempt in 1 2 3; do + if ipsec rereadcrls 2>/dev/null && ipsec purgecrls 2>/dev/null; then + echo "Successfully reloaded CRLs" + exit 0 + fi + echo "Attempt $attempt failed, retrying..." + sleep 2 + done + + # If StrongSwan is running but we can't reload CRLs, that's a real problem + echo "Failed to reload CRLs after 3 attempts" + exit 1