mirror of
https://github.com/balena-io/open-balena.git
synced 2025-01-03 12:34:10 +00:00
cert-provider: Update to support ACMEv2 on staging provider
Acquiring a staging certificiate from LetsEncrypt was failing, so acme.sh was updated to version 2.8.5, which includes support for using ACMEv2 on the LetsEncrypt servers. Changes to the state flow to make access retries infinite as it became apparent that in some scenarios the certificate acquisition could fail to occur due to containers taking longer to become accessible. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
This commit is contained in:
parent
08a990d32d
commit
d67e29223f
@ -6,9 +6,11 @@ VOLUME [ "/usr/src/app/certs" ]
|
|||||||
|
|
||||||
RUN apk add --update bash curl git openssl ncurses socat
|
RUN apk add --update bash curl git openssl ncurses socat
|
||||||
|
|
||||||
|
# from https://github.com/Neilpang/acme.sh/releases/tag/2.8.5
|
||||||
RUN git clone https://github.com/Neilpang/acme.sh.git && \
|
RUN git clone https://github.com/Neilpang/acme.sh.git && \
|
||||||
cd acme.sh && \
|
cd acme.sh && \
|
||||||
git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \
|
git fetch && git fetch --tags && \
|
||||||
|
git checkout 2.8.5 . && \
|
||||||
./acme.sh --install \
|
./acme.sh --install \
|
||||||
--cert-home /usr/src/app/certs
|
--cert-home /usr/src/app/certs
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
# the acme.sh client script, installed via Git in the Dockerfile...
|
# the acme.sh client script, installed via Git in the Dockerfile...
|
||||||
ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
|
ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
|
||||||
@ -45,14 +45,20 @@ retryWithDelay() {
|
|||||||
DELAY=${3:-5}
|
DELAY=${3:-5}
|
||||||
|
|
||||||
local ATTEMPT=0
|
local ATTEMPT=0
|
||||||
while [ $RETRIES -gt $ATTEMPT ]; do
|
while [ "$RETRIES" -gt "$ATTEMPT" ]; do
|
||||||
let "ATTEMPT++"
|
(( ATTEMPT++ ))
|
||||||
|
logInfo "($ATTEMPT/$RETRIES) Connecting..."
|
||||||
if $1; then
|
if $1; then
|
||||||
|
logInfo "($ATTEMPT/$RETRIES) Success!"
|
||||||
return $?
|
return $?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..."
|
if [ "$RETRIES" -gt "$ATTEMPT" ]; then
|
||||||
sleep $DELAY
|
logInfo "($ATTEMPT/$RETRIES) Failed. Retrying in ${DELAY} seconds..."
|
||||||
|
sleep "$DELAY"
|
||||||
|
else
|
||||||
|
logInfo "($ATTEMPT/$RETRIES) Failed!"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
return 1
|
return 1
|
||||||
@ -62,7 +68,7 @@ waitForOnline() {
|
|||||||
ADDRESS="${1,,}"
|
ADDRESS="${1,,}"
|
||||||
|
|
||||||
logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
|
logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
|
||||||
retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5
|
retryWithDelay "curl --output /dev/null --silent --head --fail --max-time 5 http://${ADDRESS}"
|
||||||
}
|
}
|
||||||
|
|
||||||
isUsingStagingCert() {
|
isUsingStagingCert() {
|
||||||
@ -167,7 +173,10 @@ acquireCertificate() {
|
|||||||
|
|
||||||
pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
|
pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
|
||||||
|
|
||||||
waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation."
|
while ! waitForOnline "${ACME_DOMAINS[0]}"; do
|
||||||
|
logInfo "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation. Retrying in 30 seconds..."
|
||||||
|
sleep 30
|
||||||
|
done
|
||||||
|
|
||||||
if ! lastAcquiredCertFor "production"; then
|
if ! lastAcquiredCertFor "production"; then
|
||||||
acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."
|
acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."
|
||||||
|
Loading…
Reference in New Issue
Block a user