letsencrypt: Retry renewal also on failed verify

diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh
index 1e2e11e96f44ef86078b8dc7f673323f8c570a66..eb9c9df80857bd255cabb2ff5ca9efa9886c0713 100644 (file)
--- a/letsencrypt/renewal.sh
+++ b/letsencrypt/renewal.sh
@@ -20,6 +20,8 @@ fi
 
 cd /etc/ssl/letsencrypt
 
+SUCCESS=0
+
 # Get a updated certificate.
 for i in `seq 1 3`; do
   if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \
@@ -34,6 +36,7 @@ for i in `seq 1 3`; do
       mv -f signed_new.crt signed.crt
       cat signed.crt chain.pem > fullchain.pem
 
+      SUCCESS=1
       echo ""
       echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE}
       echo ""
@@ -42,17 +45,23 @@ for i in `seq 1 3`; do
       for serv in apache nginx dovecot postfix; do
         systemctl is-active --quiet ${serv} && systemctl reload ${serv}
       done
+
+      # No more retries
+      break
     else
-      echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2
+      echo "[Error] Verification of obtained cert failed." | tee -a ${LOGFILE} >&2
     fi
-    break
   else
-    # Sleep for max 9999 seconds, then try again.
-    echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2
-    sleep `tr -cd 0-9 < /dev/urandom | head -c 4`
+    # Sleep for max 999 seconds, then try again.
+    sleep `tr -cd 0-9 < /dev/urandom | head -c 3`
   fi
 done
 
+if [ ${SUCCESS} = 0 ]; then
+    echo "[Error] Reached max number of retry attempts." | tee -a ${LOGFILE} >&2
+fi
+
+
 # Stop temp web server and close port 80 if needed.
 if [ $PORT80 = 0 ]; then
   /usr/sbin/iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT