letsencrypt-acme-sh-install: handle errors better in driver

Currently we discard the exit code of the acme.sh call and swallow any
possible errors.  Although they are logged, it means the Ansible calls
won't fail and you'll have to debug much later on why you didn't get a
certificate as expected.

Capture the failure of the call and log it better.  Note that when
skipping renewal due to current valid certificates acme.sh returns
"2".  After [1] acme.sh is returning "3" when it exits with a TXT
entry requiring validation; anything else is an error on the request
path.  Valid issues should be "0" and anything else will be an error.

While we here, make sure we always output the end stamp by putting it
in a exit trap.

[1] 2d4ea720eb

Change-Id: Ica63860f3221e99ca0a2aa2636d573fc134447bb
This commit is contained in:
Ian Wienand 2019-11-27 11:17:04 +11:00
parent 08644ae925
commit 864f39bfff

View File

@ -23,6 +23,11 @@ fi
# Ensure we don't write out files as world-readable # Ensure we don't write out files as world-readable
umask 027 umask 027
function _exit {
echo "--- end --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
}
trap _exit EXIT
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE} echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
if [[ ${1} == "issue" ]]; then if [[ ${1} == "issue" ]]; then
@ -49,6 +54,16 @@ if [[ ${1} == "issue" ]]; then
# shell magic ^ is # shell magic ^ is
# - extract everything between ' ' # - extract everything between ' '
# - stick every two lines together, separated by a : # - stick every two lines together, separated by a :
_exit_code=${PIPESTATUS[0]}
if [[ ${_exit_code} == 2 ]]; then
echo "Valid and current certificate found" >> ${LOG_FILE}
exit 0
elif [[ ${_exit_code} == 3 ]]; then
echo "Certificate request issued" >> ${LOG_FILE}
else
echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
exit ${_exit_code}
fi
done done
elif [[ ${1} == "issue-selfsign" ]]; then elif [[ ${1} == "issue-selfsign" ]]; then
shift; shift;
@ -91,6 +106,16 @@ elif [[ ${1} == "renew" ]]; then
--force \ --force \
--renew \ --renew \
$arg 2>&1 | tee -a ${LOG_FILE} $arg 2>&1 | tee -a ${LOG_FILE}
_exit_code=${PIPESTATUS[0]}
if [[ ${_exit_code} == 2 ]]; then
echo "Valid and current certificate found" >> ${LOG_FILE}
exit 0
elif [[ ${_exit_code} == 0 ]]; then
echo "Certificate renewed" >> ${LOG_FILE}
else
echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
exit ${_exit_code}
fi
done done
elif [[ ${1} == "selfsign" ]]; then elif [[ ${1} == "selfsign" ]]; then
# For testing, simulate the key generation # For testing, simulate the key generation
@ -160,5 +185,3 @@ else
echo "Unknown driver arg: $1" echo "Unknown driver arg: $1"
exit 1 exit 1
fi fi
echo "--- end --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}