Fix cert renewal by recovering certbot state (#3610)

2024-10-20 01:03:40 +00:00 · 2022-08-02 11:32:53 -04:00 · 2022-08-02 11:32:53 -04:00 · 5528138e54
parent b87f47934d
commit 5528138e54
4 changed files with 24 additions and 3 deletions
--- a/assets/aws/files/bin/teleport-all-pre-start
+++ b/assets/aws/files/bin/teleport-all-pre-start
@ -15,4 +15,4 @@ if [[ "${USE_LETSENCRYPT}" != "true" ]]; then
 fi

 # copy certificates into place
-/bin/aws s3 sync s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
+/bin/aws s3 sync --exact-timestamps s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
--- a/assets/aws/files/bin/teleport-get-cert
+++ b/assets/aws/files/bin/teleport-get-cert
@ -27,4 +27,4 @@ echo "No certs/keys found in ${TELEPORT_S3_BUCKET}. Going to request certificate
 /usr/local/bin/certbot certonly -n --agree-tos --email ${TELEPORT_DOMAIN_ADMIN_EMAIL} --dns-route53 -d "${TELEPORT_DOMAIN_NAME}" -d "*.${TELEPORT_DOMAIN_NAME}"
 echo "Got wildcard certificate for ${TELEPORT_DOMAIN_NAME}. Syncing to S3."

-aws s3 sync /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
+aws s3 sync --exact-timestamps /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
--- a/assets/aws/files/bin/teleport-renew-cert
+++ b/assets/aws/files/bin/teleport-renew-cert
@ -14,6 +14,27 @@ if [ ! -f /etc/teleport.d/role.auth ] && [ ! -f /etc/teleport.d/role.all ]; then
    exit 0
 fi

+# Fetching certbot state
+aws s3 sync --exact-timestamps "s3://${TELEPORT_S3_BUCKET}" /etc/letsencrypt/ --sse=AES256
+
+# s3 does not support symlinks, we have to create them after the sync, else certbot will fail.
+# live/ symlinks point to the latest archive/<domain>/<object>XX.pem where XX is incremented at each cert-renewal.
+# The last iteration is retrieved by listing all fullchains, sorting them by iteration (this is not alphabetical order
+# because fullchain10.pem should be greater than fullchain2.pem). We finally strip the id from the filename.
+ARCHIVE_NUMBER="$(
+  find "/etc/letsencrypt/archive/${TELEPORT_DOMAIN_NAME}/" -iname "fullchain*.pem" \
+  | sort -V \
+  | tail -n 1 \
+  | sed 's@.\+fullchain\([[:digit:]]\+\)\.pem@\1@'
+  )"
+
+PEM_FILES="cert chain fullchain privkey"
+
+for PEM_FILE in $PEM_FILES; do
+  rm "/etc/letsencrypt/live/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}.pem"
+  ln -sf "/etc/letsencrypt/archive/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}${ARCHIVE_NUMBER}.pem" "/etc/letsencrypt/live/${TELEPORT_DOMAIN_NAME}/${PEM_FILE}.pem"
+done
+
 # This is called periodically, if renewal is successful
 # certs are uploaded to the S3 Bucket
 /usr/local/bin/certbot renew --deploy-hook=/usr/local/bin/teleport-upload-cert
--- a/assets/aws/files/bin/teleport-upload-cert
+++ b/assets/aws/files/bin/teleport-upload-cert
@ -7,4 +7,4 @@ set -x
 # Source variables from user-data
 . /etc/teleport.d/conf

-aws s3 sync /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256
+aws s3 sync --exact-timestamps /etc/letsencrypt/ s3://${TELEPORT_S3_BUCKET} --sse=AES256