openstack/kolla
Code Issues Proposed changes

Fix letsencrypt-lego logging

Browse Source 
This patch fixes formatting of letsencrypt, so
it will be easier to parse via fluent.

Change-Id: I8a403e14819df4351e28d53c676571a3ad0c14be
This commit is contained in:
Michal Arbet 2023-11-01 03:32:44 +01:00
parent beed4b68e8
commit 7fe6696c20
3 changed files with 61 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docker/haproxy/haproxy-ssh/update-haproxy-cert.sh
View File

@ -1,5 +1,17 @@
#!/bin/bash
function log_info {
local message="${1}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [ERROR] ${message}"
}
function haproxy_transaction_start {
local cert_input=${1}
local cert_dest=${2}
@ -10,9 +22,9 @@ function haproxy_transaction_start {
transaction_grep_check="Transaction (created|updated) for certificate $(echo $cert_dest | sed -e 's|/|\\/|g')!"
transaction_result=$(echo -e "set ssl cert ${cert_dest} <<\n$(cat ${cert_input})\n" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
if echo "${transaction_result}" | grep -Pq "${transaction_grep_check}"; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} started."
log_info "[${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} started."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
log_error "[${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed, please check if haproxy admin socket is running and ${cert_input} is not corrupted."
exit 1
fi
@ -22,9 +34,9 @@ function haproxy_transaction_start {
cert_input_sha1=$(openssl x509 -noout -fingerprint -sha1 -inform pem -in ${cert_input} | awk -F '=' '{print $2}' | sed -e 's/://g')
cert_dest_sha1=$(echo "show ssl cert *${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock - | awk -F 'SHA1 FingerPrint: ' '{print $2}' | sed '/^$/d')
if [ "${cert_input_sha1}" = "${cert_dest_sha1}" ]; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} successfull."
log_info "[${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} successfull."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
log_error "[${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed, SHA1 fingerprint of ${cert_input} is not the same as uploaded one."
exit 1
fi
}
@ -37,9 +49,9 @@ function haproxy_upload_to_memory {
cert_upload_output=$(echo "commit ssl cert ${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
if echo "${cert_upload_output}" | grep -q "Success!"; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Certificate ${cert_input} uploaded to haproxy memory."
log_info "[${cert_dest} - update] Certificate ${cert_input} uploaded to haproxy memory."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Certificate ${cert_input} upload to haproxy memory failed."
log_error "[${cert_dest} - update] Certificate ${cert_input} upload to haproxy memory failed, please check if haproxy admin socket is running and ${cert_input} is not corrupted."
exit 1
fi
}
@ -56,7 +68,7 @@ function haproxy_write_to_disk {
cert_backup_path=$(echo "${cert_input}" | awk -v suffix="$cert_backup_suffix" -F '.pem' '{print $1suffix}')
cert_backup_name=$(echo ${cert_backup_path} | awk -F '/' '{print $NF}')
mkdir -p /etc/letsencrypt/backups
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_haproxy_path} - update] Backuping currently loaded ${cert_haproxy_path} -> /etc/letsencrypt/backups/${cert_backup_name}"
log_info "[${cert_haproxy_path} - update] Backuping currently loaded ${cert_haproxy_path} -> /etc/letsencrypt/backups/${cert_backup_name}"
cp -a ${cert_haproxy_path} /etc/letsencrypt/backups/${cert_backup_name}
cp -a ${cert_input} ${cert_haproxy_path}
rm -f ${cert_input}

55
docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh
View File

@ -3,13 +3,13 @@
function log_info {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [ERROR] ${message}"
}
function obtain_or_renew_certificate {
@ -54,18 +54,43 @@ function obtain_or_renew_certificate {
[ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew"
log_info "[INFO] [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
/opt/lego --email="${mail}" \
${certificate_domain_opts} \
--server "${acme_url}" \
--path "/etc/letsencrypt/lego/${certificate_type}/" \
--http.webroot "/etc/letsencrypt/http-01" \
--http.port ${listen_port} \
--cert.timeout ${valid_days} \
--accept-tos \
--http \
--pem ${lego_action} \
--${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}"
log_info "[${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
mapfile -t cmd_output < <(/opt/lego --email="${mail}" \
${certificate_domain_opts} \
--server "${acme_url}" \
--path "/etc/letsencrypt/lego/${certificate_type}/" \
--http.webroot "/etc/letsencrypt/http-01" \
--http.port ${listen_port} \
--cert.timeout ${valid_days} \
--accept-tos \
--http \
--pem ${lego_action} \
--${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}" 2>&1)
# Fix LOG formatting as some output has no same format
#
# Example:
#
# 2023/10/31 11:52:26 No key found for account michal.arbet@ultimum.io. Generating a P256 key.
# 2023/10/31 11:52:26 Saved key to /etc/letsencrypt/lego/external/accounts/acme-v02.api.letsencrypt.org/michal.arbet@ultimum.io/keys/michal.arbet@ultimum.io.key
# 2023/10/31 11:52:27 [INFO] acme: Registering account for michal.arbet@ultimum.io
# !!!! HEADS UP !!!!
for i in "${cmd_output[@]}"; do
if [ "${i}" == "" ]; then
continue
fi
if ! echo "${i}" | grep -q '\[INFO\]'; then
if [ "$(echo "${i}" | awk -F ' ' '{print $1}')" == "$(date +%Y/%m/%d)" ]; then
echo "${i}" | awk '{out = ""; for (i = 3; i <= NF; i++) {out = out " " $i}; print $1" "$2" [INFO]"out}'
else
dt=$(date '+%Y/%m/%d %H:%M:%S')
echo "${i}" | awk -v dt="$dt" '{print dt" [INFO] "$0}'
fi
else
echo "${i}"
fi
done
}
@ -154,7 +179,7 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
fi
if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
log_info "[INFO] [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
fi
else

4
docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh
View File

@ -3,13 +3,13 @@
function log_info {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
echo "$(date '+%Y/%m/%d %H:%M:%S') [ERROR] ${message}"
}