Skip to content

Commit affe0eb

Browse files
jaapmarcusjaapmarcus
authored
Fix: Lets encrypt download certificate bug (hestiacp#3442)
* Fix: Async processing certificates * Enable drone again for LE testing * Update sleep time * Add user agent as sugested https://community.letsencrypt.org/t/myvesta-hestiacp-vestacp-fail-issuance-with-async-finalization/195923/4
1 parent fcc38b9 commit affe0eb

File tree

2 files changed

+30
-6
lines changed

2 files changed

+30
-6
lines changed

.drone.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,10 @@ steps:
7979
- name: Run restore tests
8080
commands:
8181
- bats ./test/restore.bats
82+
- name: Run Letsencrypt test against Staging
83+
commands:
84+
- cp /root/le-env.sh /tmp/hestia-le-env.sh
85+
- bats ./test/letsencrypt.bats
8286
- name: Run config tests
8387
commands:
8488
- bats ./test/config-tests.bats

bin/v-add-letsencrypt-domain

Lines changed: 26 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ query_le_v2() {
5959
# Save http response to file passed as "$4" arg or print to stdout if not provided
6060
# http response headers are always sent to stdout
6161
local save_to_file=${4:-"/dev/stdout"}
62-
curl --location --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
62+
curl --location --user-agent "HestiaCP" --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
6363
debug_log "API call" "exit status: $?"
6464
}
6565

@@ -208,7 +208,7 @@ if [ -n "$DNS_SYSTEM" ]; then
208208
fi
209209

210210
# Requesting nonce / STEP 1
211-
answer=$(curl -s -I "$LE_API/directory")
211+
answer=$(curl --user-agent "HestiaCP" -s -I "$LE_API/directory")
212212
nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n')
213213
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
214214

@@ -242,8 +242,9 @@ nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n')
242242
authz=$(echo "$answer" | grep "acme/authz" | cut -f2 -d '"')
243243
finalize=$(echo "$answer" | grep 'finalize":' | cut -f4 -d '"')
244244
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f2 -d ' ')
245+
order=$(echo -e "$answer" | grep -i location | cut -f2 -d \ | tr -d '\r\n')
245246

246-
debug_log "Step 2" "- status: ${status}\n- nonce: ${nonce}\n- authz: ${authz}\n- finalize: ${finalize}\n- payload: ${payload}\n- answer: ${answer}"
247+
debug_log "Step 2" "- status: ${status}\n- nonce: ${nonce}\n- authz: ${authz}\n- finalize: ${finalize}\n- payload: ${payload}\n- answer: ${answer}\n order: ${order}"
247248

248249
if [[ "$status" -ne 201 ]]; then
249250
# Delete DNS CAA record
@@ -461,6 +462,25 @@ if [[ "$status" -ne 200 ]]; then
461462
check_result "$E_CONNECT" "Let's Encrypt finalize bad status $status ($domain)"
462463
fi
463464

465+
if [ -z "$certificate" ]; then
466+
validation="processing"
467+
i=1
468+
while [ "$validation" = "processing" ]; do
469+
answer=$(query_le_v2 "$order" "" "$nonce")
470+
i=$((i + 1))
471+
472+
nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n')
473+
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
474+
validation=$(echo "$answer" | grep 'status":' | cut -f4 -d '"')
475+
certificate=$(echo "$answer" | grep 'certificate":' | cut -f4 -d '"')
476+
sleep $((i * 2)) # Sleep for 2s, 4s, 6s, 8s
477+
if [ $i -gt 10 ]; then
478+
check_result "$E_CONNECT" "Certificate processing timeout ($domain)"
479+
fi
480+
debug_log "Step 7" "- status: ${status}\n- nonce: ${nonce}\n- payload: ${payload}\n- certificate: ${certificate}\n- answer: ${answer}"
481+
done
482+
fi
483+
464484
# Downloading signed certificate / STEP 7
465485
status=0
466486
retry=0
@@ -470,7 +490,7 @@ while [[ $status != 200 && $retry -lt 3 ]]; do
470490
answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
471491
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
472492

473-
debug_log "Step 7" "- status: ${status}\n- retry: ${retry}\n- answer: ${answer}"
493+
debug_log "Step 8" "- status: ${status}\n- retry: ${retry}\n- answer: ${answer}"
474494

475495
if [[ $status != 200 ]]; then
476496
retry=$((retry + 1))
@@ -481,10 +501,10 @@ done
481501

482502
# Fallback on depreciated download method for certs (unauthenticated GET)
483503
if [[ $status != 200 ]]; then
484-
answer=$(curl --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout "$certificate" --output "$ssl_dir/$domain.pem")
504+
answer=$(curl --insecure --user-agent "HestiaCP" --retry 5 --retry-connrefused --silent --dump-header /dev/stdout "$certificate" --output "$ssl_dir/$domain.pem")
485505
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
486506

487-
debug_log "Step 7 - Fallback" "- status: ${status}\n- answer: ${answer}"
507+
debug_log "Step 8 - Fallback" "- status: ${status}\n- answer: ${answer}"
488508
fi
489509

490510
debug_log "CERT DIR" "$(ls -las "$ssl_dir/")"

0 commit comments

Comments
 (0)