mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
Fix cert renewal by recovering certbot state (#3610)
This commit is contained in:
parent
b87f47934d
commit
5528138e54
|
@ -15,4 +15,4 @@ if [[ "${USE_LETSENCRYPT}" != "true" ]]; then
|
|||
fi
|
||||
|
||||
# copy certificates into place
|
||||
/bin/aws s3 sync s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
|
||||
/bin/aws s3 sync --exact-timestamps s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
|
|
@ -27,4 +27,4 @@ echo "No certs/keys found in ${TELEPORT_S3_BUCKET}. Going to request certificate
|
|||
/usr/local/bin/certbot certonly -n --agree-tos --email ${TELEPORT_DOMAIN_ADMIN_EMAIL} --dns-route53 -d "${TELEPORT_DOMAIN_NAME}" -d "*.${TELEPORT_DOMAIN_NAME}"
|
||||
echo "Got wildcard certificate for ${TELEPORT_DOMAIN_NAME}. Syncing to S3."
|
||||
|
||||
aws s3 sync /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
|
||||
aws s3 sync --exact-timestamps /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
|
||||
|
|
|
@ -14,6 +14,27 @@ if [ ! -f /etc/teleport.d/role.auth ] && [ ! -f /etc/teleport.d/role.all ]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
# Fetching certbot state
|
||||
aws s3 sync --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
|
||||
|
||||
# s3 does not support symlinks, we have to create them after the sync, else certbot will fail.
|
||||
# live/ symlinks point to the latest archive/<domain>/<object>XX.pem where XX is incremented at each cert-renewal.
|
||||
# The last iteration is retrieved by listing all fullchains, sorting them by iteration (this is not alphabetical order
|
||||
# because fullchain10.pem should be greater than fullchain2.pem). We finally strip the id from the filename.
|
||||
ARCHIVE_NUMBER="$(
|
||||
find "/etc/letsencrypt/archive/${TELEPORT_DOMAIN_NAME}/" -iname "fullchain*.pem" \
|
||||
| sort -V \
|
||||
| tail -n 1 \
|
||||
| sed 's@.\+fullchain\([[:digit:]]\+\)\.pem@\1@'
|
||||
)"
|
||||
|
||||
PEM_FILES="cert chain fullchain privkey"
|
||||
|
||||
for PEM_FILE in $PEM_FILES; do
|
||||
rm "/etc/letsencrypt/live/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}.pem"
|
||||
ln -sf "/etc/letsencrypt/archive/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}${ARCHIVE_NUMBER}.pem" "/etc/letsencrypt/live/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}.pem"
|
||||
done
|
||||
|
||||
# This is called periodically, if renewal is successful
|
||||
# certs are uploaded to the S3 Bucket
|
||||
/usr/local/bin/certbot renew --deploy-hook=/usr/local/bin/teleport-upload-cert
|
||||
|
|
|
@ -7,4 +7,4 @@ set -x
|
|||
# Source variables from user-data
|
||||
. /etc/teleport.d/conf
|
||||
|
||||
aws s3 sync /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
|
||||
aws s3 sync --exact-timestamps /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
|
||||
|
|
Loading…
Reference in a new issue