cert-provider: Update to support ACMEv2 on staging provider

Acquiring a staging certificiate from LetsEncrypt was failing, so acme.sh was
updated to version 2.8.5, which includes support for using ACMEv2 on the
LetsEncrypt servers.

Changes to the state flow to make access retries infinite as it became apparent
that in some scenarios the certificate acquisition could fail to occur due to
containers taking longer to become accessible.

Change-type: patch
Signed-off-by: Rich Bayliss <rich@balena.io>
This commit is contained in:
Rich Bayliss 2019-09-02 15:01:39 +01:00
parent 08a990d32d
commit d67e29223f
No known key found for this signature in database
GPG Key ID: E53C4B4D18499E1A
2 changed files with 19 additions and 8 deletions

View File

@ -6,9 +6,11 @@ VOLUME [ "/usr/src/app/certs" ]
RUN apk add --update bash curl git openssl ncurses socat RUN apk add --update bash curl git openssl ncurses socat
# from https://github.com/Neilpang/acme.sh/releases/tag/2.8.5
RUN git clone https://github.com/Neilpang/acme.sh.git && \ RUN git clone https://github.com/Neilpang/acme.sh.git && \
cd acme.sh && \ cd acme.sh && \
git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \ git fetch && git fetch --tags && \
git checkout 2.8.5 . && \
./acme.sh --install \ ./acme.sh --install \
--cert-home /usr/src/app/certs --cert-home /usr/src/app/certs

View File

@ -1,4 +1,4 @@
#!/bin/bash #!/usr/bin/env bash
# the acme.sh client script, installed via Git in the Dockerfile... # the acme.sh client script, installed via Git in the Dockerfile...
ACME_BIN="$(realpath ~/.acme.sh/acme.sh)" ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
@ -45,14 +45,20 @@ retryWithDelay() {
DELAY=${3:-5} DELAY=${3:-5}
local ATTEMPT=0 local ATTEMPT=0
while [ $RETRIES -gt $ATTEMPT ]; do while [ "$RETRIES" -gt "$ATTEMPT" ]; do
let "ATTEMPT++" (( ATTEMPT++ ))
logInfo "($ATTEMPT/$RETRIES) Connecting..."
if $1; then if $1; then
logInfo "($ATTEMPT/$RETRIES) Success!"
return $? return $?
fi fi
echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..." if [ "$RETRIES" -gt "$ATTEMPT" ]; then
sleep $DELAY logInfo "($ATTEMPT/$RETRIES) Failed. Retrying in ${DELAY} seconds..."
sleep "$DELAY"
else
logInfo "($ATTEMPT/$RETRIES) Failed!"
fi
done done
return 1 return 1
@ -62,7 +68,7 @@ waitForOnline() {
ADDRESS="${1,,}" ADDRESS="${1,,}"
logInfo "Waiting for ${ADDRESS} to be available via HTTP..." logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5 retryWithDelay "curl --output /dev/null --silent --head --fail --max-time 5 http://${ADDRESS}"
} }
isUsingStagingCert() { isUsingStagingCert() {
@ -167,7 +173,10 @@ acquireCertificate() {
pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above." pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation." while ! waitForOnline "${ACME_DOMAINS[0]}"; do
logInfo "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation. Retrying in 30 seconds..."
sleep 30
done
if ! lastAcquiredCertFor "production"; then if ! lastAcquiredCertFor "production"; then
acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate." acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."