opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/letsencrypt-create-certs/README.rst
Ian Wienand 547a4578bd letsencrypt : don't use staging in the gate 
Currently we connect to the LE staging environment with acme.sh during
CI to get the DNS-01 tokens (but we never follow-through and actually
generate the certificate, as we have nowhere to publish the tokens).
We've known for a while that LE staging isn't really meant to be used
by CI like this, and recent instability has made the issue pronounced.

This modifies the driver script to generate fake tokens which work to
ensure all the DNS processing, etc. is happening correctly.

I have put this behind a flag so the letsencrypt job still does this
however.  I think it is worth this job actually calling acme.sh to
validate this path; this shouldn't be required too often.

Change-Id: I7c0b471a0661aa311aaa861fd2a0d47b07e45a72
2021-10-06 15:34:21 +11:00

39 lines
1.4 KiB
ReStructuredText
Raw Blame History

Generate letsencrypt certificates
This must run after the ``letsencrypt-install-acme-sh``,
``letsencrypt-request-certs`` and ``letsencrypt-install-txt-records``
roles. It will run the ``acme.sh`` process to create the certificates
on the host.
**Role Variables**
.. zuul:rolevar:: letsencrypt_self_sign_only
:default: False
If set to True, will locally generate self-signed certificates in
the same locations the real script would, instead of contacting
letsencrypt. This is set during gate testing as the
authentication tokens are not available.
.. zuul:rolevar:: letsencrypt_self_generate_tokens
:default: False
When set to ``True``, self-generate fake DNS-01 TXT tokens rather
than acquiring them through the ACME process with letsencrypt.
This avoids leaving "half-open" challenges during gate testing,
where we have no way to publish the DNS TXT records letsencrypt
gives us to complete the certificate issue. This should be
``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you
wish to specifically test the ``acme.sh`` operation).
.. zuul:rolevar:: letsencrypt_use_staging
:default: False
If set to True will use the letsencrypt staging environment, rather
than make production requests. Useful during initial provisioning
of hosts to avoid affecting production quotas.
.. zuul:rolevar:: letsencrypt_certs
The same variable as described in ``letsencrypt-request-certs``.
View Git Blame Copy Permalink