From dc372d9d9fe5c1404d15e3b8ddb9790e66766a6d Mon Sep 17 00:00:00 2001 From: Niall Creech Date: Tue, 15 Mar 2016 21:23:29 +0000 Subject: [PATCH] Make update_certs task use set_ssl_certificates retry logic The update certs task calls time.sleep(3) to overcome the problem with checking something that AWS believes the ssl cert to be available, but it takes a few seconds to be 'eventually consistent'. The ELB::set_ssl_certificates has retry logic to handle this case but it is currently unused by the task. This change makes update_certs retry 3 times so that AWS has consistent knowledge on the state of certs and the action will succeed. (Closes #196) --- bootstrap_cfn/fab_tasks.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/bootstrap_cfn/fab_tasks.py b/bootstrap_cfn/fab_tasks.py index 3d494dc..5d1457b 100755 --- a/bootstrap_cfn/fab_tasks.py +++ b/bootstrap_cfn/fab_tasks.py @@ -572,28 +572,26 @@ def update_certs(): stack_name = get_stack_name() cfn_config = get_config() + iam = get_connection(IAM) # Upload any SSL certificates to our EC2 instances updated_count = False if 'ssl' in cfn_config.data: logger.info("Reloading SSL certificates...") - iam = get_connection(IAM) updated_count = iam.update_ssl_certificates(cfn_config.ssl(), stack_name) else: logger.error("No ssl section found in cloud config file, aborting...") sys.exit(1) - # Arbitrary wait to allow SSL upload to register with AWS - # Otherwise, we can get an ARN for the load balancer certificates - # without it being ready to assign - time.sleep(3) - # Set the certificates on ELB's if we have any if updated_count: if 'elb' in cfn_config.data: logger.info("Setting load balancer certificates...") elb = get_connection(ELB) - elb.set_ssl_certificates(updated_count, stack_name) + replaced_certs = elb.set_ssl_certificates(updated_count, + stack_name, + max_retries=3, + retry_delay=10) else: logger.error("No certificates updated so skipping " "ELB certificate update...")