LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

uacme: add use_auto_staging 

Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.

With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.

In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.

By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.

Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
lilik-openwrt-22.03
Leonardo Mörlein 3 years ago
committed by Rosen Penev
parent
b80781150b
commit
7d17bbdc41
1 changed files with 25 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +25
    -1
      net/uacme/files/run.sh

+ 25
- 1
net/uacme/files/run.sh View File

@ -407,12 +407,17 @@ issue_cert_with_retries() {
local section="$1"
local use_staging
local retries
local use_auto_staging
local infinite_retries
config_get_bool use_staging "$section" use_staging
config_get_bool use_auto_staging "$section" use_auto_staging
config_get_bool enabled "$section" enabled
config_get retries "$section" retries
[ -z "$retries" ] && retries=1
[ -z "$use_auto_staging" ] && use_auto_staging=0
[ "$retries" -eq "0" ] && infinite_retries=1
[ "$enabled" -eq "1" ] || return 0
while true; do
issue_cert "$1"; ret=$?
@ -421,6 +426,13 @@ issue_cert_with_retries() {
# An error occurred while retrieving the certificate.
retries="$((retries-1))"
if [ "$use_auto_staging" -eq "1" ] && [ "$use_staging" -eq "0" ]; then
log "Production certificate could not be obtained. Switching to staging server."
use_staging=1
uci set "acme.$1.use_staging=1"
uci commit acme
fi
if [ -z "$infinite_retries" ] && [ "$retries" -lt "1" ]; then
log "An error occurred while retrieving the certificate. Retries exceeded."
return "$ret"
@ -442,7 +454,19 @@ issue_cert_with_retries() {
sleep "$sleeptime"
continue
else
return "$ret";
if [ "$use_auto_staging" -eq "1" ]; then
if [ "$use_staging" -eq "0" ]; then
log "Production certificate obtained. Exiting."
else
log "Staging certificate obtained. Continuing with production server."
use_staging=0
uci set "acme.$1.use_staging=0"
uci commit acme
continue
fi
fi
return "$ret"
fi
done
}


Write Preview
Loading…
Cancel
Save