uacme: add use_auto_staging

Staging certificates have the advantage that their retry limits are loose. Therefore they can be obtained quickly when automatic retries are used. Unfortunately they can not be used for deployments because their CA is not accepted by clients. Production certificates do not have this limitation, but their retry limits are strict. For production certificates, automatic retries can only be performed a few times per hour. This makes automatic obtainment of certificates tenacious. With use_auto_staging=1, the advantages of the two certificate types are combined. Uacme will first obtain a staging certificate. When the staging certificate is successfully obtained, uacme will switch and obtain a production certificate. Since the staging certificate has already been successfully obtained, we can ensure that the production certificate is successfully obtained in the first attempt. This means that "retries" are performed on the staging certificate and the production certificate is obtained in the first attempt. In summary, this feature enables fast obtaining of production certificates when automatic retries are used. By default, this feature is set to use_auto_staging=0, which means that uacme will behave as before by default. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>

uacme: add use_auto_staging
7d17bbdc · Leonardo Mörlein · Rosen Penev · b8078115 · 7d17bbdc
Commit 7d17bbdc authored 3 years ago by Leonardo Mörlein Committed by Rosen Penev 3 years ago
--- a/net/uacme/files/run.sh
+++ b/net/uacme/files/run.sh
@@ -407,12 +407,17 @@ issue_cert_with_retries() {
 	local section="$1"
 	local use_staging
 	local retries
+	local use_auto_staging
 	local infinite_retries
 	config_get_bool use_staging "$section" use_staging
+	config_get_bool use_auto_staging "$section" use_auto_staging
+	config_get_bool enabled "$section" enabled
 	config_get retries "$section" retries
 	[ -z "$retries" ] && retries=1
+	[ -z "$use_auto_staging" ] && use_auto_staging=0
 	[ "$retries" -eq "0" ] && infinite_retries=1
+	[ "$enabled" -eq "1" ] || return 0
 	while true; do
 		issue_cert "$1"; ret=$?
@@ -421,6 +426,13 @@ issue_cert_with_retries() {
 			# An error occurred while retrieving the certificate.
 			retries="$((retries-1))"
+			if [ "$use_auto_staging" -eq "1" ] && [ "$use_staging" -eq "0" ]; then
+				log "Production certificate could not be obtained. Switching to staging server."
+				use_staging=1
+				uci set "acme.$1.use_staging=1"
+				uci commit acme
+			fi
 			if [ -z "$infinite_retries" ] && [ "$retries" -lt "1" ]; then
 				log "An error occurred while retrieving the certificate. Retries exceeded."
 				return "$ret"
@@ -442,7 +454,19 @@ issue_cert_with_retries() {
 			sleep "$sleeptime"
 			continue
 		else
-			return "$ret";
+			if [ "$use_auto_staging" -eq "1" ]; then
+				if [ "$use_staging" -eq "0" ]; then
+					log "Production certificate obtained. Exiting."
+				else
+					log "Staging certificate obtained. Continuing with production server."
+					use_staging=0
+					uci set "acme.$1.use_staging=0"
+					uci commit acme
+					continue
+				fi
+			fi
+			return "$ret"
 		fi
 	done
 }