-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcertbot.cron
76 lines (63 loc) · 2.14 KB
/
certbot.cron
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/bin/bash
set -ueo pipefail
if test -s /var/log/letsencrypt/letsencrypt.log; then
# Preserve previous log until next run
mv /var/log/letsencrypt/letsencrypt.log /var/log/letsencrypt/letsencrypt.log.old;
fi
SNIKKET_DOMAIN_ASCII=$(idn2 "$SNIKKET_DOMAIN")
export SNIKKET_DOMAIN_ASCII
SNIKKET_CERTBOT_KEY_OPTIONS=${SNIKKET_CERTBOT_KEY_OPTIONS:---reuse-key}
has_errors () {
test -s /var/log/letsencrypt/errors.log;
return;
}
try_cert () {
if su letsencrypt -- -c "certbot certonly -n --webroot --webroot-path /var/www \
--cert-path /etc/ssl/certbot \
--keep ${SNIKKET_CERTBOT_OPTIONS-} $SNIKKET_CERTBOT_KEY_OPTIONS \
--agree-tos --email \"$SNIKKET_ADMIN_EMAIL\" --expand \
--config-dir /snikket/letsencrypt \
--domain \"$SNIKKET_DOMAIN_ASCII\" --domain \"share.$SNIKKET_DOMAIN_ASCII\" \
--domain \"groups.$SNIKKET_DOMAIN_ASCII\"
"; then
certbot_failed=0;
else
certbot_failed=1;
fi
sed -n '/^{/,/^}/p' /var/log/letsencrypt/letsencrypt.log \
| jq -r '(select(.status=="invalid").challenges | .[].error?.detail ), select(.detail).detail' \
> /var/log/letsencrypt/errors.log;
if [[ "$certbot_failed" == "1" ]] || has_errors; then
touch /snikket/letsencrypt/has-errors;
report-error.sh "Certificate issuance failure" "/var/log/letsencrypt/errors.log";
elif test -f /snikket/letsencrypt/has-errors; then
rm /snikket/letsencrypt/has-errors;
fi
}
should_retry () {
# This matches certain "soft" errors that we consider safe to retry
# "networking error" seems to be an intermittent timeout on the Let's Encrypt side
# "Service busy" is returned when their service is overloaded
grep -qE "^(DNS problem: networking error|Service busy;)" /var/log/letsencrypt/errors.log;
return;
}
# Initial attempt
try_cert;
attempts=0
if should_retry; then
while test -s /var/log/letsencrypt/errors.log; do
attempts=$((attempts+1))
if [[ "$attempts" -gt "3" ]]; then
echo "Too many failures, will not retry for now"
break;
fi
echo "Pausing before retry..."
sleep $(( 15 + RANDOM % 30 ));
echo "Retrying certificate fetch...";
try_cert;
if ! should_retry; then
echo "Unexpected error, will not retry for now"
break;
fi
done
fi