From 864f39bfff904f8f000de97743c9cfdaa1fe34d4 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 27 Nov 2019 11:17:04 +1100
Subject: [PATCH] letsencrypt-acme-sh-install: handle errors better in driver

Currently we discard the exit code of the acme.sh call and swallow any
possible errors.  Although they are logged, it means the Ansible calls
won't fail and you'll have to debug much later on why you didn't get a
certificate as expected.

Capture the failure of the call and log it better.  Note that when
skipping renewal due to current valid certificates acme.sh returns
"2".  After [1] acme.sh is returning "3" when it exits with a TXT
entry requiring validation; anything else is an error on the request
path.  Valid issues should be "0" and anything else will be an error.

While we here, make sure we always output the end stamp by putting it
in a exit trap.

[1] https://github.com/acmesh-official/acme.sh/commit/2d4ea720eb77db4dcf46692478c03c8c793b84fc

Change-Id: Ica63860f3221e99ca0a2aa2636d573fc134447bb
---
 .../files/driver.sh                           | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
index 1322cc0b7f..d9b3b05638 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
+++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
@@ -23,6 +23,11 @@ fi
 # Ensure we don't write out files as world-readable
 umask 027
 
+function _exit {
+    echo "--- end   --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
+}
+trap _exit EXIT
+
 echo -e  "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
 
 if [[ ${1} == "issue" ]]; then
@@ -49,6 +54,16 @@ if [[ ${1} == "issue" ]]; then
                 # shell magic ^ is
                 #  - extract everything between ' '
                 #  - stick every two lines together, separated by a :
+        _exit_code=${PIPESTATUS[0]}
+        if [[ ${_exit_code} == 2 ]]; then
+            echo "Valid and current certificate found" >> ${LOG_FILE}
+            exit 0
+        elif [[ ${_exit_code} == 3 ]]; then
+            echo "Certificate request issued" >> ${LOG_FILE}
+        else
+            echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
+            exit ${_exit_code}
+        fi
     done
 elif [[ ${1} == "issue-selfsign" ]]; then
     shift;
@@ -91,6 +106,16 @@ elif [[ ${1} == "renew" ]]; then
             --force \
             --renew \
             $arg 2>&1 | tee -a ${LOG_FILE}
+        _exit_code=${PIPESTATUS[0]}
+        if [[ ${_exit_code} == 2 ]]; then
+            echo "Valid and current certificate found" >> ${LOG_FILE}
+            exit 0
+        elif [[ ${_exit_code} == 0 ]]; then
+            echo "Certificate renewed" >> ${LOG_FILE}
+        else
+            echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
+            exit ${_exit_code}
+        fi
     done
 elif [[ ${1} == "selfsign" ]]; then
     # For testing, simulate the key generation
@@ -160,5 +185,3 @@ else
     echo "Unknown driver arg: $1"
     exit 1
 fi
-
-echo "--- end   --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}