From 5a92e436610f8022638f95d07a2ad7a06361dca6 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 14 Nov 2025 01:28:23 +0000 Subject: [PATCH] ingress: Better CERTBOT_STAGING handling --- .../dstack-ingress/scripts/entrypoint.sh | 15 ++++++----- .../dstack-ingress/scripts/functions.sh | 26 +++++++++++++++++++ .../scripts/generate-evidences.sh | 11 ++++---- 3 files changed, 41 insertions(+), 11 deletions(-) diff --git a/custom-domain/dstack-ingress/scripts/entrypoint.sh b/custom-domain/dstack-ingress/scripts/entrypoint.sh index 7a4ea7f..af9263c 100644 --- a/custom-domain/dstack-ingress/scripts/entrypoint.sh +++ b/custom-domain/dstack-ingress/scripts/entrypoint.sh @@ -200,13 +200,17 @@ set_caa_record() { echo "Skipping CAA record setup" return fi + local ACCOUNT_URI - find /etc/letsencrypt/accounts -name regr.json - path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json" - if [ "$CERTBOT_STAGING" == "true" ]; then - path="${path/acme-v02/acme-staging-v02}" + local account_file + + if ! account_file=$(get_letsencrypt_account_file); then + echo "Warning: Cannot set CAA record - account file not found" + echo "This is not critical - certificates can still be issued without CAA records" + return fi - ACCOUNT_URI=$(jq -j '.uri' $path) + + ACCOUNT_URI=$(jq -j '.uri' "$account_file") echo "Adding CAA record for $domain, accounturi=$ACCOUNT_URI" dnsman.py set_caa \ --domain "$domain" \ @@ -217,7 +221,6 @@ set_caa_record() { echo "Warning: Failed to set CAA record for $domain" echo "This is not critical - certificates can still be issued without CAA records" echo "Consider disabling CAA records by setting SET_CAA=false if this continues to fail" - # Don't exit - CAA records are optional for certificate generation fi } diff --git a/custom-domain/dstack-ingress/scripts/functions.sh b/custom-domain/dstack-ingress/scripts/functions.sh index 868555c..bf8b80c 100644 --- a/custom-domain/dstack-ingress/scripts/functions.sh +++ b/custom-domain/dstack-ingress/scripts/functions.sh @@ -82,3 +82,29 @@ sanitize_proxy_timeout() { echo "" fi } + +get_letsencrypt_account_path() { + local base_path="/etc/letsencrypt/accounts" + local api_endpoint="acme-v02.api.letsencrypt.org" + + if [[ "$CERTBOT_STAGING" == "true" ]]; then + api_endpoint="acme-staging-v02.api.letsencrypt.org" + fi + + echo "${base_path}/${api_endpoint}/directory/*/regr.json" +} + +get_letsencrypt_account_file() { + local account_pattern + account_pattern=$(get_letsencrypt_account_path) + + local account_files + account_files=( $account_pattern ) + + if [[ ! -f "${account_files[0]}" ]]; then + echo "Error: Let's Encrypt account file not found at $account_pattern" >&2 + return 1 + fi + + echo "${account_files[0]}" +} diff --git a/custom-domain/dstack-ingress/scripts/generate-evidences.sh b/custom-domain/dstack-ingress/scripts/generate-evidences.sh index 401e15f..1c5b19b 100644 --- a/custom-domain/dstack-ingress/scripts/generate-evidences.sh +++ b/custom-domain/dstack-ingress/scripts/generate-evidences.sh @@ -2,15 +2,16 @@ set -e -path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json" -if [ "$CERTBOT_STAGING" == "true" ]; then - path="${path/acme-v02/acme-staging-v02}" +source "/scripts/functions.sh" + +if ! ACME_ACCOUNT_FILE=$(get_letsencrypt_account_file); then + echo "Error: Cannot generate evidences without Let's Encrypt account file" + exit 1 fi -ACME_ACCOUNT_FILE=$(ls $path) mkdir -p /evidences cd /evidences || exit -cp ${ACME_ACCOUNT_FILE} acme-account.json +cp "${ACME_ACCOUNT_FILE}" acme-account.json # Get all domains and copy their certificates all_domains=$(get-all-domains.sh)