letsencrypt-acme-sh-install: handle errors better in driver
Currently we discard the exit code of the acme.sh call and swallow any
possible errors. Although they are logged, it means the Ansible calls
won't fail and you'll have to debug much later on why you didn't get a
certificate as expected.
Capture the failure of the call and log it better. Note that when
skipping renewal due to current valid certificates acme.sh returns
"2". After [1] acme.sh is returning "3" when it exits with a TXT
entry requiring validation; anything else is an error on the request
path. Valid issues should be "0" and anything else will be an error.
While we here, make sure we always output the end stamp by putting it
in a exit trap.
[1] 2d4ea720eb
Change-Id: Ica63860f3221e99ca0a2aa2636d573fc134447bb
This commit is contained in:
parent
08644ae925
commit
864f39bfff
@ -23,6 +23,11 @@ fi
|
|||||||
# Ensure we don't write out files as world-readable
|
# Ensure we don't write out files as world-readable
|
||||||
umask 027
|
umask 027
|
||||||
|
|
||||||
|
function _exit {
|
||||||
|
echo "--- end --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
||||||
|
}
|
||||||
|
trap _exit EXIT
|
||||||
|
|
||||||
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
||||||
|
|
||||||
if [[ ${1} == "issue" ]]; then
|
if [[ ${1} == "issue" ]]; then
|
||||||
@ -49,6 +54,16 @@ if [[ ${1} == "issue" ]]; then
|
|||||||
# shell magic ^ is
|
# shell magic ^ is
|
||||||
# - extract everything between ' '
|
# - extract everything between ' '
|
||||||
# - stick every two lines together, separated by a :
|
# - stick every two lines together, separated by a :
|
||||||
|
_exit_code=${PIPESTATUS[0]}
|
||||||
|
if [[ ${_exit_code} == 2 ]]; then
|
||||||
|
echo "Valid and current certificate found" >> ${LOG_FILE}
|
||||||
|
exit 0
|
||||||
|
elif [[ ${_exit_code} == 3 ]]; then
|
||||||
|
echo "Certificate request issued" >> ${LOG_FILE}
|
||||||
|
else
|
||||||
|
echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
|
||||||
|
exit ${_exit_code}
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
elif [[ ${1} == "issue-selfsign" ]]; then
|
elif [[ ${1} == "issue-selfsign" ]]; then
|
||||||
shift;
|
shift;
|
||||||
@ -91,6 +106,16 @@ elif [[ ${1} == "renew" ]]; then
|
|||||||
--force \
|
--force \
|
||||||
--renew \
|
--renew \
|
||||||
$arg 2>&1 | tee -a ${LOG_FILE}
|
$arg 2>&1 | tee -a ${LOG_FILE}
|
||||||
|
_exit_code=${PIPESTATUS[0]}
|
||||||
|
if [[ ${_exit_code} == 2 ]]; then
|
||||||
|
echo "Valid and current certificate found" >> ${LOG_FILE}
|
||||||
|
exit 0
|
||||||
|
elif [[ ${_exit_code} == 0 ]]; then
|
||||||
|
echo "Certificate renewed" >> ${LOG_FILE}
|
||||||
|
else
|
||||||
|
echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
|
||||||
|
exit ${_exit_code}
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
elif [[ ${1} == "selfsign" ]]; then
|
elif [[ ${1} == "selfsign" ]]; then
|
||||||
# For testing, simulate the key generation
|
# For testing, simulate the key generation
|
||||||
@ -160,5 +185,3 @@ else
|
|||||||
echo "Unknown driver arg: $1"
|
echo "Unknown driver arg: $1"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "--- end --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
|
||||||
|
Loading…
Reference in New Issue
Block a user