From bec154f070a89fb3fbe62ac5f3d47c9139e7f980 Mon Sep 17 00:00:00 2001 From: Lukas Schauer Date: Fri, 2 May 2025 14:34:34 +0200 Subject: [PATCH] Added a configuration parameter to allow for timeouts during order processing (fixes #955) --- CHANGELOG | 1 + README.md | 1 + dehydrated | 22 ++++++++++++++++++++-- docs/examples/config | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b792c39..3a18395 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,6 +4,7 @@ This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ## Added - Implemented support for certificate profile selection +- Added a configuration parameter to allow for timeouts during order processing (`ORDER_TIMEOUT`, defaults to 0 = no timeout) ## Changed - Renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (`RENEW_DAYS=32`) diff --git a/README.md b/README.md index c28652a..e5dddaa 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,7 @@ Parameters: --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 --acme-profile profile_name Use specified ACME profile + --order-timeout seconds Amount of seconds to wait for processing of order until erroring out ``` ## Chat diff --git a/dehydrated b/dehydrated index 2382ac4..a93d443 100755 --- a/dehydrated +++ b/dehydrated @@ -292,6 +292,7 @@ store_configvars() { __RENEW_DAYS="${RENEW_DAYS}" __IP_VERSION="${IP_VERSION}" __ACME_PROFILE="${ACME_PROFILE}" + __ORDER_TIMEOUT=${ORDER_TIMEOUT} } reset_configvars() { @@ -311,6 +312,7 @@ reset_configvars() { RENEW_DAYS="${__RENEW_DAYS}" IP_VERSION="${__IP_VERSION}" ACME_PROFILE="${__ACME_PROFILE}" + ORDER_TIMEOUT=${__ORDER_TIMEOUT} } hookscript_bricker_hook() { @@ -336,6 +338,7 @@ verify_config() { fi [[ "${API}" == "auto" || "${API}" == "1" || "${API}" == "2" ]] || _exiterr "Unsupported API version defined in config: ${API}" [[ "${OCSP_DAYS}" =~ ^[0-9]+$ ]] || _exiterr "OCSP_DAYS must be a number" + [[ "${ORDER_TIMEOUT}" =~ ^[0-9]+$ ]] || _exiterr "ORDER_TIMEOUT must be a number" } # Setup default config values, search for and load configuration files @@ -396,6 +399,7 @@ load_config() { DEHYDRATED_GROUP= API="auto" ACME_PROFILE="" + ORDER_TIMEOUT=0 if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -554,6 +558,7 @@ load_config() { [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}" [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}" [[ -n "${PARAM_ACME_PROFILE:-}" ]] && ACME_PROFILE="${PARAM_ACME_PROFILE}" + [[ -n "${PARAM_ORDER_TIMEOUT:-}" ]] && ORDER_TIMEOUT="${PARAM_ORDER_TIMEOUT}" if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then _exiterr "Argument --force-validation can only be used in combination with --force (-x)" @@ -1330,19 +1335,24 @@ sign_csr() { crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )" else result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | jsonsh)" + waited=0 while :; do orderstatus="$(echo "${result}" | get_json_string_value status)" case "${orderstatus}" in "processing" | "pending") + if [ ${ORDER_TIMEOUT} -gt 0 ] && [ ${waited} -gt ${ORDER_TIMEOUT} ]; then + _exiterr "Timed out waiting for processing of order (still ${orderstatus})" + fi echo " + Order is ${orderstatus}..." sleep 2; + waited=$((waited+2)) ;; "valid") break; ;; *) - _exiterr "Order in status ${orderstatus}" + _exiterr "Order has invalid/unknown status: ${orderstatus}" ;; esac result="$(signed_request "${order_location}" "" | jsonsh)" @@ -1831,7 +1841,7 @@ command_sign_domains() { # All settings that are allowed here should also be stored and # restored in store_configvars() and reset_configvars() case "${config_var}" in - KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS|ACME_PROFILE) + KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS|ACME_PROFILE|ORDER_TIMEOUT) echo " + ${config_var} = ${config_value}" declare -- "${config_var}=${config_value}" ;; @@ -2433,6 +2443,14 @@ main() { PARAM_ACME_PROFILE="${1}" ;; + # PARAM_Usage: --order-timeout seconds + # PARAM_Description: Amount of seconds to wait for processing of order until erroring out + --order-timeout) + shift 1 + check_parameters "${1:-}" + PARAM_ORDER_TIMEOUT=${1} + ;; + *) echo "Unknown parameter detected: ${1}" >&2 echo >&2 diff --git a/docs/examples/config b/docs/examples/config index e0c5bd1..0bc49ce 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -133,3 +133,6 @@ # Request certificate with specific profile (default: ) #ACME_PROFILE= + +# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout) +#ORDER_TIMEOUT=0 -- 2.47.2