ingress: Better CERTBOT_STAGING handling

kvinwang · kvinwang · commit 5a92e436610f · 2025-11-14T02:57:34.000Z
diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh
@@ -200,13 +200,17 @@ set_caa_record() {
         echo "Skipping CAA record setup"
         return
     fi
+
     local ACCOUNT_URI
-    find /etc/letsencrypt/accounts -name regr.json
-    path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json"
-    if [ "$CERTBOT_STAGING" == "true" ]; then
-        path="${path/acme-v02/acme-staging-v02}"
+    local account_file
+
+    if ! account_file=$(get_letsencrypt_account_file); then
+        echo "Warning: Cannot set CAA record - account file not found"
+        echo "This is not critical - certificates can still be issued without CAA records"
+        return
     fi
-    ACCOUNT_URI=$(jq -j '.uri' $path)
+
+    ACCOUNT_URI=$(jq -j '.uri' "$account_file")
     echo "Adding CAA record for $domain, accounturi=$ACCOUNT_URI"
     dnsman.py set_caa \
         --domain "$domain" \
@@ -217,7 +221,6 @@ set_caa_record() {
         echo "Warning: Failed to set CAA record for $domain"
         echo "This is not critical - certificates can still be issued without CAA records"
         echo "Consider disabling CAA records by setting SET_CAA=false if this continues to fail"
-        # Don't exit - CAA records are optional for certificate generation
     fi
 }
 
diff --git a/custom-domain/dstack-ingress/scripts/functions.sh b/custom-domain/dstack-ingress/scripts/functions.sh
@@ -82,3 +82,29 @@ sanitize_proxy_timeout() {
         echo ""
     fi
 }
+
+get_letsencrypt_account_path() {
+    local base_path="/etc/letsencrypt/accounts"
+    local api_endpoint="acme-v02.api.letsencrypt.org"
+
+    if [[ "$CERTBOT_STAGING" == "true" ]]; then
+        api_endpoint="acme-staging-v02.api.letsencrypt.org"
+    fi
+
+    echo "${base_path}/${api_endpoint}/directory/*/regr.json"
+}
+
+get_letsencrypt_account_file() {
+    local account_pattern
+    account_pattern=$(get_letsencrypt_account_path)
+
+    local account_files
+    account_files=( $account_pattern )
+
+    if [[ ! -f "${account_files[0]}" ]]; then
+        echo "Error: Let's Encrypt account file not found at $account_pattern" >&2
+        return 1
+    fi
+
+    echo "${account_files[0]}"
+}
diff --git a/custom-domain/dstack-ingress/scripts/generate-evidences.sh b/custom-domain/dstack-ingress/scripts/generate-evidences.sh
@@ -2,15 +2,16 @@
 
 set -e
 
-path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json"
-if [ "$CERTBOT_STAGING" == "true" ]; then
-    path="${path/acme-v02/acme-staging-v02}"
+source "/scripts/functions.sh"
+
+if ! ACME_ACCOUNT_FILE=$(get_letsencrypt_account_file); then
+    echo "Error: Cannot generate evidences without Let's Encrypt account file"
+    exit 1
 fi
-ACME_ACCOUNT_FILE=$(ls $path)
 
 mkdir -p /evidences
 cd /evidences || exit
-cp ${ACME_ACCOUNT_FILE} acme-account.json
+cp "${ACME_ACCOUNT_FILE}" acme-account.json
 
 # Get all domains and copy their certificates
 all_domains=$(get-all-domains.sh)
