Evil Ham
a696f3cf00
This would fix #839 Certbot uses locking [1] even for read-only operations and does not properly use exit codes, which means that sometimes it would print: "Another instance of Certbot is already running" and exit with success. However, the previous explorers would take that as the certificate being absent and would trigger code generation. The issue was made worse by having many explorers running certbot, so for N certificates, we'd run certbot N*4 times, potentially "in parallel". [1]: https://certbot.eff.org/docs/using.html#id5 This patch joins all explorers in one to avoid starting multiple remote python processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a 60 seconds timeout. It has been tested with certbot 0.31.0 and 0.17 that the: from certbot.main import main trick works. It is somewhat well documented so it can be somewhat relied upon.
158 lines
4.1 KiB
Bash
158 lines
4.1 KiB
Bash
#!/bin/sh
|
|
|
|
certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
|
|
state=$(cat "${__object}/parameter/state")
|
|
os="$(cat "${__global:?}/explorer/os")"
|
|
|
|
if [ -z "${certbot_fullpath}" ]; then
|
|
os_version="$(cat "${__global}/explorer/os_version")"
|
|
# Use this, very common value, as a default. It is OS-dependent
|
|
certbot_fullpath="/usr/bin/certbot"
|
|
case "$os" in
|
|
archlinux)
|
|
__package certbot
|
|
;;
|
|
alpine)
|
|
__package certbot
|
|
;;
|
|
debian)
|
|
case "$os_version" in
|
|
8*)
|
|
__apt_source jessie-backports \
|
|
--uri http://http.debian.net/debian \
|
|
--distribution jessie-backports \
|
|
--component main
|
|
|
|
require="__apt_source/jessie-backports" __package_apt python-certbot \
|
|
--target-release jessie-backports
|
|
require="__apt_source/jessie-backports" __package_apt certbot \
|
|
--target-release jessie-backports
|
|
# Seems to be a missing dependency on debian 8
|
|
__package python-ndg-httpsclient
|
|
;;
|
|
9*)
|
|
__apt_source stretch-backports \
|
|
--uri http://http.debian.net/debian \
|
|
--distribution stretch-backports \
|
|
--component main
|
|
|
|
require="__apt_source/stretch-backports" __package_apt python-certbot \
|
|
--target-release stretch-backports
|
|
require="__apt_source/stretch-backports" __package_apt certbot \
|
|
--target-release stretch-backports
|
|
;;
|
|
10*)
|
|
__package_apt certbot
|
|
;;
|
|
|
|
*)
|
|
echo "Unsupported OS version: $os_version" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
;;
|
|
devuan)
|
|
case "$os_version" in
|
|
jessie)
|
|
__apt_source jessie-backports \
|
|
--uri http://auto.mirror.devuan.org/merged \
|
|
--distribution jessie-backports \
|
|
--component main
|
|
|
|
require="__apt_source/jessie-backports" __package_apt python-certbot \
|
|
--target-release jessie-backports
|
|
require="__apt_source/jessie-backports" __package_apt certbot \
|
|
--target-release jessie-backports
|
|
# Seems to be a missing dependency on debian 8
|
|
__package python-ndg-httpsclient
|
|
;;
|
|
ascii*)
|
|
__apt_source ascii-backports \
|
|
--uri http://auto.mirror.devuan.org/merged \
|
|
--distribution ascii-backports \
|
|
--component main
|
|
|
|
require="__apt_source/ascii-backports" __package_apt certbot \
|
|
--target-release ascii-backports
|
|
;;
|
|
beowulf*)
|
|
__package_apt certbot
|
|
;;
|
|
*)
|
|
echo "Unsupported OS version: $os_version" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
;;
|
|
freebsd)
|
|
__package py37-certbot
|
|
certbot_fullpath="/usr/local/bin/certbot"
|
|
;;
|
|
ubuntu)
|
|
__package certbot
|
|
;;
|
|
*)
|
|
echo "Unsupported os: $os" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
fi
|
|
|
|
# Other OS-dependent values that we want to set every time
|
|
LE_DIR="/etc/letsencrypt"
|
|
certbot_cronjob_state="absent"
|
|
case "$os" in
|
|
archlinux|alpine)
|
|
certbot_cronjob_state="present"
|
|
;;
|
|
freebsd)
|
|
LE_DIR="/usr/local/etc/letsencrypt"
|
|
# FreeBSD uses periodic(8) instead of crontabs for this
|
|
__line "periodic.conf_weekly_certbot" \
|
|
--file "/etc/periodic.conf" \
|
|
--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
|
|
--state "replace" \
|
|
--line 'weekly_certbot_enable="YES"'
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
|
|
# This is only necessary in certain OS
|
|
__cron letsencrypt-certbot \
|
|
--user root \
|
|
--command "${certbot_fullpath} renew -q" \
|
|
--hour 0 \
|
|
--minute 47 \
|
|
--state "${certbot_cronjob_state}"
|
|
|
|
# Ensure hook directories
|
|
HOOKS_DIR="${LE_DIR}/renewal-hooks"
|
|
__directory "${LE_DIR}" --mode 0755
|
|
require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
|
|
|
|
if [ -f "${__object}/parameter/domain" ]; then
|
|
domains="$(sort "${__object}/parameter/domain")"
|
|
else
|
|
domains="${__object_id}"
|
|
fi
|
|
|
|
# Install hooks as needed
|
|
for hook in deploy pre post; do
|
|
# Using something unique and specific to this object
|
|
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
|
|
|
|
# This defines hook_contents
|
|
# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
|
|
. "${__type}/files/gen_hook.sh"
|
|
|
|
# Ensure hook directory exists
|
|
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
|
|
--mode 0755
|
|
require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
|
|
--mode 0555 \
|
|
--source '-' \
|
|
--state "${hook_state}" <<EOF
|
|
${hook_contents}
|
|
EOF
|
|
done
|