Merge pull request #65 from wwwehr/npw/certbot-staging

kvinwang · web-flow · commit ae50d7d7fc04 · 2025-11-14T09:08:10.000+08:00
support certbot staging mode
diff --git a/custom-domain/dstack-ingress/README.md b/custom-domain/dstack-ingress/README.md
@@ -180,6 +180,7 @@ configs:
 - `PROXY_READ_TIMEOUT`: Optional value for nginx `proxy_read_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode
 - `PROXY_SEND_TIMEOUT`: Optional value for nginx `proxy_send_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode
 - `PROXY_CONNECT_TIMEOUT`: Optional value for nginx `proxy_connect_timeout` (numeric with optional `s|m|h` suffix, e.g. `10s`) in single-domain mode
+- `CERTBOT_STAGING`: Optional; set this value to the string `true` to set the `--staging` server option on the [`certbot` cli](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options)
 
 **Backward Compatibility:**
 
diff --git a/custom-domain/dstack-ingress/scripts/certman.py b/custom-domain/dstack-ingress/scripts/certman.py
@@ -288,6 +288,8 @@ def _build_certbot_command(self, action: str, domain: str, email: str) -> List[s
         if action == "certonly":
             base_cmd.extend(["--agree-tos", "--no-eff-email",
                             "--email", email, "-d", domain])
+        if os.environ.get("CERTBOT_STAGING", "false") == "true":
+            base_cmd.extend(["--staging"])
 
         base_cmd.extend(["--dns-cloudflare-propagation-seconds=120"])
 
diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh
@@ -201,7 +201,12 @@ set_caa_record() {
         return
     fi
     local ACCOUNT_URI
-    ACCOUNT_URI=$(jq -j '.uri' /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json)
+    find /etc/letsencrypt/accounts -name regr.json
+    path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json"
+    if [ "$CERTBOT_STAGING" == "true" ]; then
+        path="${path/acme-v02/acme-staging-v02}"
+    fi
+    ACCOUNT_URI=$(jq -j '.uri' $path)
     echo "Adding CAA record for $domain, accounturi=$ACCOUNT_URI"
     dnsman.py set_caa \
         --domain "$domain" \
diff --git a/custom-domain/dstack-ingress/scripts/generate-evidences.sh b/custom-domain/dstack-ingress/scripts/generate-evidences.sh
@@ -2,7 +2,11 @@
 
 set -e
 
-ACME_ACCOUNT_FILE=$(ls /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json)
+path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json"
+if [ "$CERTBOT_STAGING" == "true" ]; then
+    path="${path/acme-v02/acme-staging-v02}"
+fi
+ACME_ACCOUNT_FILE=$(ls $path)
 
 mkdir -p /evidences
 cd /evidences || exit
