Browse Source

Make certificate import more failure tolerant

If an error occurs while trying to import certificate in to webserver
configuration, the script will now set a marker file to the related
domain and tries again to import the cert in next script run.
Before those failures have been reported in log, but there was no
treatment.

[FS#136](https://fs.golderweb.de/index.php?do=details&task_id=136)
Jonathan Golder 2 years ago
parent
commit
2e42710925
Signed by: Jonathan Golder <jonathan@golderweb.de> GPG Key ID: A63CA3193092AD20
1 changed files with 28 additions and 2 deletions
  1. 28
    2
      letsencrypt-renew.sh

+ 28
- 2
letsencrypt-renew.sh View File

@@ -42,12 +42,39 @@ if [ ! -d "${LECONFIGDIR}" ]; then
42 42
 	exit 1
43 43
 fi
44 44
 
45
+# import_certificate
46
+#
47
+# Try to import certificate in webserver config using uberspace-add-certificate
48
+#
49
+# If something fails, leave a file as marker so we can try it again with next
50
+# script run. Failures occur occasionally due to problems with connection to
51
+# letsencrypt while import.
52
+import_certificate() {
53
+	# import certificate
54
+	uberspace-add-certificate -k "${LECONFIGDIR}/live/${domain}/privkey.pem" -c "${LECONFIGDIR}/live/${domain}/cert.pem"
55
+
56
+	# Not successfull?
57
+	if [ $? -ne 0 ]; then
58
+		# Set error marker
59
+		touch "${LECONFIGDIR}/live/${domain}/importerror"
60
+	elif [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then
61
+		# Remove error marker
62
+		rm "${LECONFIGDIR}/live/${domain}/importerror"
63
+	fi
64
+}
65
+
45 66
 # Get all existing inifiles matching namescheme cli-${domain}.ini
46 67
 for inifile in "${LECONFIGDIR}"/cli-*.ini; do
47 68
 
48 69
 	# Get domain out of file (first value in property "domains")
49 70
 	domain=$(grep -e "[ \t]*domains.*" "${inifile}" | sed "s/ //g" |cut -d "=" -f2 | cut -d "," -f1)
50 71
 
72
+	# If there was an import error before, try again to import certificate
73
+	if [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then
74
+
75
+		import_certificate
76
+	fi
77
+
51 78
 	# sleep for a random time so not all certificates get renewed at the same time
52 79
 	if [ $FIRSTITER -ne 1 ]; then
53 80
 		sleep $(expr $RANDOM % 600)
@@ -60,7 +87,6 @@ for inifile in "${LECONFIGDIR}"/cli-*.ini; do
60 87
 	FIRSTITER=0
61 88
 	letsencrypt certonly -c "${inifile}" || continue
62 89
 
63
-	# import certificate
64
-	uberspace-add-certificate -k "${LECONFIGDIR}/live/${domain}/privkey.pem" -c "${LECONFIGDIR}/live/${domain}/cert.pem"
90
+	import_certificate
65 91
 
66 92
 done