[pve-devel] [PATCH manager v2] ACMEv2 order "ready" status update
Stoiko Ivanov
s.ivanov at proxmox.com
Fri Jun 22 10:45:02 CEST 2018
FWIW, tested it quickly with the current staging - both our current
master, as well as the version patched with this worked and provided me
with a certificate.
On Thu, 21 Jun 2018 20:34:14 +0200
Fabian Grünbichler <f.gruenbichler at proxmox.com> wrote:
> LGTM, besides on nit inline (but haven't tested from home - currently
> staging has the feature enabled, production does not, so this should
> be quick on your end ;)).
>
> On Wed, Jun 20, 2018 at 11:56:05AM +0200, Dominik Csapak wrote:
> > since letsencrypt updates their implementation to the ACMEv2 spec
> > [1], we should correctly parse the order status
> >
> > 1:
> > https://community.letsencrypt.org/t/acmev2-order-ready-status/62866
> >
> > note that we (for now) try to be compatbile to both versions,
> > with and without ready state, this can be changed when all
> > letsencrypt apis have changed
> >
> > Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> > ---
> > changes from v1:
> > * try finalizing during 'pending' state with max 5 tries
> > * change sleep to 5 seconds after finalizing
> > PVE/API2/ACME.pm | 30 ++++++++++++++++++++++++++----
> > 1 file changed, 26 insertions(+), 4 deletions(-)
> >
> > diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
> > index 3c85458b..b1bb6261 100644
> > --- a/PVE/API2/ACME.pm
> > +++ b/PVE/API2/ACME.pm
> > @@ -90,14 +90,36 @@ my $order_certificate = sub {
> > print "\nCreating CSR\n";
> > my ($csr, $key) = PVE::Certificate::generate_csr(identifiers
> > => $order->{identifiers});
> > - print "Finalizing order\n";
> > - $acme->finalize_order($order,
> > PVE::Certificate::pem_to_der($csr)); -
> > + my $finalize_error_cnt = 0;
> > print "Checking order status\n";
> > while (1) {
> > $order = $acme->get_order($order_url);
> > if ($order->{status} eq 'pending') {
> > - print "still pending, trying again in 30 seconds\n";
> > + print "still pending, trying to finalize order\n";
> > + # FIXME
> > + # to be compatible with and without the order ready
> > state
> > + # we try to finalize even at the 'pending' state
> > + # and give up after 5 unsuccessful tries
> > + # this can be removed when the letsencrypt api
> > + # definitely has implemented the 'ready' state
> > + eval {
> > + $acme->finalize_order($order,
> > PVE::Certificate::pem_to_der($csr));
> > + };
> > + if (my $err = $@) {
> > + die $err if $finalize_error_cnt >= 5;
> > +
> > + $finalize_error_cnt++;
> > + warn $err;
>
> I don't think we need multiple attempts here - the logic in LE's CA
> software calculates the order status based on the authorizations. at
> this point we have already checked all the authorizations, so if it is
> "pending", the "order status ready" feature is not enabled, and we
> only need one finalization attempt just like before. if the feature is
> enabled, at this point the status must be "ready" anyway.
>
> > + }
> > + sleep 5;
> > + next;
> > + } elsif ($order->{status} eq 'ready') {
> > + print "Order is ready, finalizing order\n";
> > + $acme->finalize_order($order,
> > PVE::Certificate::pem_to_der($csr));
> > + sleep 5;
> > + next;
> > + } elsif ($order->{status} eq 'processing') {
> > + print "still processing, trying again in 30 seconds\n";
> > sleep 30;
> > next;
> > } elsif ($order->{status} eq 'valid') {
> > --
> > 2.11.0
> >
> >
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list