From b4261094a7649b520104d468e84daf89054c5b7f Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Mon, 4 Nov 2024 09:26:42 +0100
Subject: [PATCH] Only bind certbot to machine-specific IP

Because there will be haproxy instances running next to this service we
can only listen to the machine-local address not the default of "all addreses":

Error seen:
```
Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
```
---
 global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
index c34b323..1d59e13 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@@ -50,7 +50,7 @@ class cdn::mqtt(
     content => file('cdn/mqtt/sunet-cdn-mqtt'),
   }
 
-  exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
+  exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]} --http-01-address ${facts['networking']['ip']}":
     creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
   }
 }