547a4578bd
Currently we connect to the LE staging environment with acme.sh during CI to get the DNS-01 tokens (but we never follow-through and actually generate the certificate, as we have nowhere to publish the tokens). We've known for a while that LE staging isn't really meant to be used by CI like this, and recent instability has made the issue pronounced. This modifies the driver script to generate fake tokens which work to ensure all the DNS processing, etc. is happening correctly. I have put this behind a flag so the letsencrypt job still does this however. I think it is worth this job actually calling acme.sh to validate this path; this shouldn't be required too often. Change-Id: I7c0b471a0661aa311aaa861fd2a0d47b07e45a72
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
- name: 'Build arguments for letsencrypt acme.sh driver for: {{ cert.key }}'
|
|
set_fact:
|
|
# NOTE(ianw): note the domains are passed in one string (between
|
|
# ") as it makes argument parsing a little easier in the driver.sh
|
|
acme_args: '"{% for domain in cert.value %}-d {{ domain.split(":")[0] }} {% endfor %}"'
|
|
|
|
- name: Run acme.sh driver for certificate issue
|
|
shell:
|
|
cmd: |
|
|
/opt/acme.sh/driver.sh {{ 'issue-selfsign' if letsencrypt_self_generate_tokens else 'issue' }} {{ acme_args }}
|
|
args:
|
|
chdir: /opt/acme.sh/
|
|
register: acme_output
|
|
environment:
|
|
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
|
|
|
|
# NOTE(ianw): The output of the driver is
|
|
#
|
|
# challenge-domain:TXT-key
|
|
#
|
|
# We don't care about the challenge-domain part (we have set all
|
|
# _acme-challenge.hostname.o.o records as CNAMES to acme.opendev.org).
|
|
# Record the config key along with the TXT record; later we use it to
|
|
# check which config keys have been updated and need a refresh.
|
|
#
|
|
- set_fact:
|
|
acme_txt_required: '{{ acme_txt_required + [(cert.key, item.split(":")[1])] }}'
|
|
loop: '{{ acme_output.stdout_lines }}'
|