res = Dnsruby::Resolver.new(nameserver)
res.dnssec = false
res.do_caching = false
- begin
+ loop do
p "Domain #{domain}: Querying ACME challenge record"
- begin
- result = res.query_no_validation_or_recursion("_acme-challenge.#{domain}", 'TXT')
- rescue Dnsruby::NXDomain
- p "Domain #{domain}: Not yet propagated, sleeping before checking again"
- Thread.pass
- sleep(0.1)
- retry
- rescue StandardError => e
- warn "Domain #{domain}: ACME challenge lookup failed: #{e}"
- raise
- end
- # p result
+ result = res.query_no_validation_or_recursion("_acme-challenge.#{domain}", 'TXT')
propagated = result.answer.any? do |answer|
answer.rdata[0] == challenge.record_content
end
- unless propagated
- p "Domain #{domain}: Not yet propagated, sleeping before checking again"
- Thread.pass
- sleep(0.1)
- end
- end until propagated
+ break if propagated
+
+ p "Domain #{domain}: Not yet propagated, still old value, sleeping before checking again"
+ sleep(0.5)
+ rescue Dnsruby::NXDomain
+ p "Domain #{domain}: Not yet propagated, NXdomain, sleeping before checking again"
+ sleep(0.5)
+ retry
+ rescue StandardError => e
+ warn "Domain #{domain}: ACME challenge lookup failed: #{e}"
+ raise
+ end
end
end
threads.each(&:join)
end
-def wait_for_challenge_validation(challenge)
+def wait_for_challenge_validation(challenge, cert_name)
p 'Requesting validation of challenge'
begin
retries ||= 0
end
while challenge.status == 'pending'
- p 'Sleeping because challenge validation is pending'
- sleep(1)
+ p "Cert #{cert_name}: Sleeping because challenge validation is pending"
+ sleep(0.1)
p 'Checking again'
begin
retries ||= 0
end
while order.status == 'processing'
p "Cert #{cert_name}: Sleep while order is processing"
- sleep(1)
+ sleep(0.1)
p "Cert #{cert_name}: Rechecking order status"
begin
retries ||= 0
end
p "Cert #{cert_name}: Writing cert"
- cert_file = File.new(path + Time.now.to_i.to_s + ".crt", 'w')
+ cert_file = File.new("#{path}#{Time.now.to_i}.crt", 'w')
cert_file.write(cert)
- if File.symlink?(File.dirname(cert_file) + "/current.crt")
- File.unlink(File.dirname(cert_file) + "/current.crt")
- File.symlink(File.basename(cert_file), File.dirname(cert_file) + "/current.crt")
- elsif File.file?(File.dirname(cert_file) + "/current.crt")
+ if File.symlink?("#{File.dirname(cert_file)}/current.crt")
+ File.unlink("#{File.dirname(cert_file)}/current.crt")
+ File.symlink(File.basename(cert_file), "#{File.dirname(cert_file)}/current.crt")
+ elsif File.file?("#{File.dirname(cert_file)}/current.crt")
raise 'Could not place symlink for "current.crt" because that is already a normal file.'
end
return cert
acme_threads = []
# iterate over configured certs
# TODO: make this one thread per cert
+# TODO: check all domains for apex domain, deploy challenges for one apex_domain all at once
config['certs'].each_pair do |cert_name, cert_opts|
acme_threads << Thread.new(cert_name, cert_opts) do |cert_name, cert_opts|
ensure_cert_dir(cert_dir + cert_name)
if order.status != 'ready'
p "Cert #{cert_name}: Order is not ready, we need to authorize first"
+ # TODO: collect dns modifications per primary NS, update all at once
p "Cert #{cert_name}: Iterating over required authorizations"
begin
retries ||= 0
primary_ns = config.dig('domains', auth.domain, 'primary_ns') || config.dig('defaults', 'domains', 'primary_ns')
deploy_dns01_challenge_token(auth.domain, challenge, primary_ns, config)
wait_for_challenge_propagation(auth.domain, challenge)
- wait_for_challenge_validation(challenge)
+ wait_for_challenge_validation(challenge, cert_name)
end
else
p "Cert #{cert_name}: Order is ready, we don’t need to authorize"
projects / user / henk / code / ruby / macir.git / commitdiff