Merge pull request #6 from BrunoZell/master

Fix problems with rate limit - updated

src/Dockerfile

@@ -1,5 +1,5 @@
 FROM nginx
-MAINTAINER Elliot Saba <staticfloat@gmail.com>
+LABEL maintainer="Elliot Saba <staticfloat@gmail.com>, Valder Gallo <valergallo@gmail.com>, Bruno Zell <bruno.zzell@gmail.com>"
 
 VOLUME /etc/letsencrypt
 EXPOSE 80

src/scripts/entrypoint.sh

@@ -14,27 +14,24 @@ auto_enable_configs
 nginx -g "daemon off;" &
 export NGINX_PID=$!
 
-# Next, run certbot to request all the ssl certs we can find
-/scripts/run_certbot.sh
-
 # Lastly, run startup scripts
 for f in /scripts/startup/*.sh; do
-    if [[ -x "$f" ]]; then
+    if [ -x "$f" ]; then
         echo "Running startup script $f"
         $f
     fi
 done
 echo "Done with startup"
 
-# Instead of trying to run `cron` or something like that, just leep and run `certbot`.
+# Instead of trying to run `cron` or something like that, just sleep and run `certbot`.
 while [ true ]; do
-    # Sleep for 1 week
-    sleep 604800 &
-    SLEEP_PID=$!
-
-    # re-run certbot
+    echo "Run certbot"
     /scripts/run_certbot.sh
 
+    # Sleep for 1 week
+    sleep 604810 &
+    SLEEP_PID=$!
+
     # Wait on sleep so that when we get ctrl-c'ed it kills everything due to our trap
     wait "$SLEEP_PID"
 done

src/scripts/run_certbot.sh

@@ -13,9 +13,15 @@ exit_code=0
 set -x
 # Loop over every domain we can find
 for domain in $(parse_domains); do
-    if ! get_certificate $domain $CERTBOT_EMAIL; then
-        error "Cerbot failed for $domain. Check the logs for details."
-        exit_code=1
+    if is_renewal_required $domain; then
+        # Renewal required for this doman.
+        # Last one happened over a week ago (or never)
+        if ! get_certificate $domain $CERTBOT_EMAIL; then
+            error "Cerbot failed for $domain. Check the logs for details."
+            exit_code=1
+        fi
+    else
+        echo "Not run certbot for $domain; last renewal happened just recently."
     fi
 done
 

src/scripts/util.sh

@@ -59,7 +59,35 @@ auto_enable_configs() {
 # EMAIL environment variable, to register the proper support email address.
 get_certificate() {
     echo "Getting certificate for domain $1 on behalf of user $2"
+    PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory'
+    STAGING_URL='https://acme-staging.api.letsencrypt.org/directory'
+
+    if [ "${IS_STAGING}" = "1" ]; then
+        letsencrypt_url=$STAGING_URL
+        echo "Staging ..."
+    else
+        letsencrypt_url=$PRODUCTION_URL
+        echo "Production ..."
+    fi
+
+    echo "running certbot ... $letsencrypt_url $1 $2"
     certbot certonly --agree-tos --keep -n --text --email $2 --server \
-        https://acme-v02.api.letsencrypt.org/directory -d $1 --http-01-port 1337 \
-        --standalone --standalone-supported-challenges http-01 --debug
+        $letsencrypt_url -d $1 --http-01-port 1337 \
+        --standalone --preferred-challenges http-01 --debug
+}
+
+# Given a domain name, return true if a renewal is required (last renewal
+# ran over a week ago or never happened yet), otherwise return false.
+is_renewal_required() {
+    # If the file does not exist assume a renewal is required
+    last_renewal_file="/etc/letsencrypt/live/$1/privkey.pem"
+    [ ! -e "$last_renewal_file" ] && return;
+    
+    # If the file exists, check if the last renewal was more than a week ago
+    one_week_sec=604800
+    now_sec=$(date -d now +%s)
+    last_renewal_sec=$(stat -c %Y "$last_renewal_file")
+    last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) ))
+    is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) ))
+    [ $is_finshed_week_sec -lt 0 ]
 }