From 9fc74c6b39f2f0bdefa9cb872bf67d8540f9e713 Mon Sep 17 00:00:00 2001 From: Stefan Huber Date: Fri, 8 Oct 2021 16:56:56 +0200 Subject: [PATCH] letsencrypt: Retry renewal also on failed verify --- letsencrypt/renewal.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh index 1e2e11e..eb9c9df 100644 --- a/letsencrypt/renewal.sh +++ b/letsencrypt/renewal.sh @@ -20,6 +20,8 @@ fi cd /etc/ssl/letsencrypt +SUCCESS=0 + # Get a updated certificate. for i in `seq 1 3`; do if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \ @@ -34,6 +36,7 @@ for i in `seq 1 3`; do mv -f signed_new.crt signed.crt cat signed.crt chain.pem > fullchain.pem + SUCCESS=1 echo "" echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE} echo "" @@ -42,17 +45,23 @@ for i in `seq 1 3`; do for serv in apache nginx dovecot postfix; do systemctl is-active --quiet ${serv} && systemctl reload ${serv} done + + # No more retries + break else - echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2 + echo "[Error] Verification of obtained cert failed." | tee -a ${LOGFILE} >&2 fi - break else - # Sleep for max 9999 seconds, then try again. - echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2 - sleep `tr -cd 0-9 < /dev/urandom | head -c 4` + # Sleep for max 999 seconds, then try again. + sleep `tr -cd 0-9 < /dev/urandom | head -c 3` fi done +if [ ${SUCCESS} = 0 ]; then + echo "[Error] Reached max number of retry attempts." | tee -a ${LOGFILE} >&2 +fi + + # Stop temp web server and close port 80 if needed. if [ $PORT80 = 0 ]; then /usr/sbin/iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -- 2.39.5