blob: 58f795e639e9079659a20441c05198e39f3eae30 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
# frozen_string_literal: true
module PagesDomains
class ObtainLetsEncryptCertificateService
# time for processing validation requests for acme challenges
# 5-15 seconds is usually enough
CHALLENGE_PROCESSING_DELAY = 1.minute.freeze
# time LetsEncrypt ACME server needs to generate the certificate
# no particular SLA, usually takes 10-15 seconds
CERTIFICATE_PROCESSING_DELAY = 1.minute.freeze
attr_reader :pages_domain
def initialize(pages_domain)
@pages_domain = pages_domain
end
def execute
pages_domain.acme_orders.expired.delete_all
acme_order = pages_domain.acme_orders.first
unless acme_order
::PagesDomains::CreateAcmeOrderService.new(pages_domain).execute
PagesDomainSslRenewalWorker.perform_in(CHALLENGE_PROCESSING_DELAY, pages_domain.id)
return
end
api_order = ::Gitlab::LetsEncrypt::Client.new.load_order(acme_order.url)
# https://tools.ietf.org/html/rfc8555#section-7.1.6 - statuses diagram
case api_order.status
when 'ready'
api_order.request_certificate(private_key: acme_order.private_key, domain: pages_domain.domain)
PagesDomainSslRenewalWorker.perform_in(CERTIFICATE_PROCESSING_DELAY, pages_domain.id)
when 'valid'
save_certificate(acme_order.private_key, api_order)
acme_order.destroy!
# when 'invalid'
# TODO: implement error handling
end
end
private
def save_certificate(private_key, api_order)
certificate = api_order.certificate
pages_domain.update!(gitlab_provided_key: private_key, gitlab_provided_certificate: certificate)
end
end
end
|
