X-Git-Url: https://git.sthu.org/?a=blobdiff_plain;f=letsencrypt%2Frenewal.sh;h=763789d72b312aaf5e1ef5a27aa088b26f0259d0;hb=HEAD;hp=e6a4658f8b39c89759437b6d0bd253aa1055fc8e;hpb=13f0d7044a34553fe36c76155ed2d4328f885eb3;p=shutils.git

diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh
index e6a4658..763789d 100644
--- a/letsencrypt/renewal.sh
+++ b/letsencrypt/renewal.sh
@@ -13,20 +13,22 @@ PORT80=$(lsof -ti :80 | wc -l)
 if [ $PORT80 = 0 ]; then
   cd /var/www/challenges
   nohup python3 -m http.server 80 > /dev/null 2>&1 &
-  iptables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-  ip6tables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  #/usr/sbin/iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  #/usr/sbin/ip6tables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
 fi
 
 
 cd /etc/ssl/letsencrypt
 
+SUCCESS=0
+
 # Get a updated certificate.
 for i in `seq 1 3`; do
   if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \
        > signed_new.crt 2>> ${LOGFILE}
   then
 
-    wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
+    wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
 
     # Check that the cert is valid.
     if openssl verify -CAfile chain_new.pem signed_new.crt; then
@@ -34,6 +36,7 @@ for i in `seq 1 3`; do
       mv -f signed_new.crt signed.crt
       cat signed.crt chain.pem > fullchain.pem
 
+      SUCCESS=1
       echo ""
       echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE}
       echo ""
@@ -42,20 +45,26 @@ for i in `seq 1 3`; do
       for serv in apache nginx dovecot postfix; do
         systemctl is-active --quiet ${serv} && systemctl reload ${serv}
       done
+
+      # No more retries
+      break
     else
-      echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2
+      echo "[Error] Verification of obtained cert failed." | tee -a ${LOGFILE} >&2
     fi
-    break
   else
-    # Sleep for max 9999 seconds, then try again.
-    echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2
-    sleep `tr -cd 0-9 < /dev/urandom | head -c 4`
+    # Sleep for max 999 seconds, then try again.
+    sleep `tr -cd 0-9 < /dev/urandom | head -c 3`
   fi
 done
 
+if [ ${SUCCESS} = 0 ]; then
+    echo "[Error] Reached max number of retry attempts." | tee -a ${LOGFILE} >&2
+fi
+
+
 # Stop temp web server and close port 80 if needed.
 if [ $PORT80 = 0 ]; then
-  iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-  ip6tables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  #/usr/sbin/iptables -D INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  #/usr/sbin/ip6tables -D INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
   pkill -f http.server
 fi