Skip to content

Commit fb9adc3

Browse files
cityofshipscityofships
authored
Merge pull request #371 from stackhpc/backport_eab_fix
Backport Fix EAB support in letsencrypt
2 parents 5355349 + 8a5c686 commit fb9adc3

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,14 @@ function obtain_or_renew_certificate {
5757

5858
[ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew"
5959

60-
if [ ${eab} ]; then
61-
eab_opts="--eab --hmac ${hmac} --kid ${key_id}"
60+
if [ "${eab}" = "true" ]; then
61+
if [ "${hmac}" != "NONE" ] && [ "${key_id}" != "NONE" ]; then
62+
eab_opts="--eab --hmac ${hmac} --kid ${key_id}"
63+
else
64+
eab_opts=""
65+
log_error "External Account Binding requires EAB key ID and EAB HMAC key."
66+
exit 1
67+
fi
6268
fi
6369

6470
log_info "[${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
@@ -107,6 +113,8 @@ function obtain_or_renew_certificate {
107113
INTERNAL_SET="false"
108114
EXTERNAL_SET="false"
109115
EXTERNAL_ACCOUNT_BINDING="false"
116+
HMAC="NONE"
117+
KEY_ID="NONE"
110118
LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
111119

112120

@@ -191,22 +199,16 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
191199
LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}"
192200
fi
193201

194-
if [ "${EXTERNAL_ACCOUNT_BINDING}" = "true" ]; then
195-
EXTERNAL_ACCOUNT_BINDING_OPTS="--eab ${HMAC} ${KEY_ID}"
196-
else
197-
EXTERNAL_ACCOUNT_BINDING_OPTS=""
198-
fi
199-
200202
if /usr/sbin/ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then
201203
log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..."
202204
if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then
203205
log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}"
204-
obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS}
206+
obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID}
205207
fi
206208

207209
if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
208210
log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
209-
obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING_OPTS}
211+
obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID}
210212
fi
211213
else
212214
log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."

0 commit comments

Comments
 (0)