Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confconsole Bookworm Let's Encrypt DNS-01 challenge fixes #82

Merged
merged 34 commits into from
Dec 20, 2023
Merged

Confconsole Bookworm Let's Encrypt DNS-01 challenge fixes #82

merged 34 commits into from
Dec 20, 2023

Conversation

JedMeister
Copy link
Member

Refactoring/bugfixing the Confconsole Let's Encrypt plugin...

Closes turnkeylinux/tracker#1876 (or at least will when I'm finished)

This work was undertaken to resolve the above noted bug for DNS-01 challenges. However I got a bit carried away and refactored and tidied the code a bit more than I originally intended...

This is currently untested, so will likely get another commit or 2.

@JedMeister JedMeister mentioned this pull request Nov 28, 2023
Closed
@JedMeister JedMeister requested a review from OnGle December 6, 2023 05:02
@JedMeister
Copy link
Member Author

Hey @OnGle can you please do a code review here ASAP? FWIW, there is a lot of discussion on the related issue: turnkeylinux/tracker#1876 You probably won't need it, but figured I might as well mention it.

OnGle
OnGle suggested changes Dec 6, 2023
View reviewed changes
Copy link
Member

@OnGle OnGle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only really concerned with the save_config thing. I'm ok pushing through with the lexicon package stuff if you want, just wanted to note it since it seems somewhat in opposition to the venv install.

plugins.d/Lets_Encrypt/dehydrated-wrapper Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/dns_01.py Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/dns_01.py Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/dns_01.py Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/get_certificate.py Outdated Show resolved Hide resolved
a3s7p
a3s7p reviewed Dec 20, 2023
View reviewed changes
turnkey-lexicon Outdated Show resolved Hide resolved
turnkey-lexicon Show resolved Hide resolved
turnkey-lexicon Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/dehydrated-wrapper Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/dehydrated-wrapper Show resolved Hide resolved
plugins.d/Lets_Encrypt/get_certificate.py Outdated

def get_conf_value(conf: list[str], key: str) -> str:
"""Given a list of config lines and a key, returns the (first) corresponding
value (non case sensititive). If nothing found, returns empty string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this should actually return Optional[str]?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, good call. Actually, it's not even being used, so I probably should just remove it?! I don't actually recall my intentions with that, so I'm just going to leave it there for now though...

plugins.d/Lets_Encrypt/get_certificate.py Outdated Show resolved Hide resolved
plugins.d/Lets_Encrypt/get_certificate.py Show resolved Hide resolved
plugins.d/Lets_Encrypt/dehydrated-wrapper
@@ -158,21 +162,24 @@ restart_servers() {
for servicename in $@; do
info "(Re)starting $servicename"
systemctl restart $servicename | tee -a $LOG
[ "${PIPESTATUS[0]}" -eq 0 ] || EXIT_CODE=1
[[ "${PIPESTATUS[0]}" -eq 0 ]] || EXIT_CODE=1
done
}

clean_finish() {
# warning: do NOT use 'fatal' in this func as it will cause an inescapable recursive loop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you add EXIT to the trap signals in L216 then fatal can just exit 1 and can be used here. the EXIT trap is executed exactly once

plugins.d/Lets_Encrypt/dehydrated-wrapper
[ $(which authbind) ] || fatal "Authbind not installed"
[[ "$EUID" = "0" ]] || fatal "$APP must be run as root"
[[ $(which dehydrated) ]] || fatal "Dehydrated not installed, or not in the \$PATH"
[[ $(which authbind) ]] || fatal "Authbind not installed"

for sig in INT TERM; do
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be INT TERM EXIT

@a3s7p
Copy link
Member

a3s7p commented Dec 20, 2023

i also recommend using shellcheck to lint the bash scripts, there is a lot it suggests to change

@JedMeister
Copy link
Member Author

Thanks @a3s7p - great catches and good call to check via shellcheck (I should have done that myself already...).

I've applied all of your suggested fixes, with exception of your suggestions re dehydrated-wrapper trap. I think that you are right, but I have some vague recollection that it might cause a recursive loop? Perhaps I'm being paranoid, but I want to move on and don't want to have to do more testing (this has already chewed up way too much of my time). Besides, that trap has been as is for quite some time now. So whilst I agree that it could be better, I'm inclined to leave it be for now.

I'm going to merge this now. But I will circle back and add your suggestion to the tracker for future dev.

@JedMeister JedMeister merged commit 0cb4c02 into turnkeylinux:master Dec 20, 2023
@JedMeister JedMeister deleted the bookworm-le-dns-fixes branch December 20, 2023 20:57
@JedMeister JedMeister mentioned this pull request Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a3s7p a3s7p a3s7p left review comments

@OnGle OnGle OnGle requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@JedMeister @a3s7p @OnGle