summaryrefslogtreecommitdiff
path: root/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
blob: 1c03641469e1b7d2690c6cf9182fb30ff7da4f1f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# frozen_string_literal: true

module PagesDomains
  class ObtainLetsEncryptCertificateService
    # time for processing validation requests for acme challenges
    # 5-15 seconds is usually enough
    CHALLENGE_PROCESSING_DELAY = 1.minute.freeze

    # time LetsEncrypt ACME server needs to generate the certificate
    # no particular SLA, usually takes 10-15 seconds
    CERTIFICATE_PROCESSING_DELAY = 1.minute.freeze

    attr_reader :pages_domain

    def initialize(pages_domain)
      @pages_domain = pages_domain
    end

    def execute
      pages_domain.acme_orders.expired.delete_all
      acme_order = pages_domain.acme_orders.first

      unless acme_order
        ::PagesDomains::CreateAcmeOrderService.new(pages_domain).execute
        PagesDomainSslRenewalWorker.perform_in(CHALLENGE_PROCESSING_DELAY, pages_domain.id)
        return
      end

      api_order = ::Gitlab::LetsEncrypt::Client.new.load_order(acme_order.url)

      # https://tools.ietf.org/html/rfc8555#section-7.1.6 - statuses diagram
      case api_order.status
      when 'ready'
        api_order.request_certificate(private_key: acme_order.private_key, domain: pages_domain.domain)
        PagesDomainSslRenewalWorker.perform_in(CERTIFICATE_PROCESSING_DELAY, pages_domain.id)
      when 'valid'
        save_certificate(acme_order.private_key, api_order)
        acme_order.destroy!
      when 'invalid'
        save_order_error(acme_order, api_order)
      end
    end

    private

    def save_certificate(private_key, api_order)
      certificate = api_order.certificate
      pages_domain.update!(gitlab_provided_key: private_key, gitlab_provided_certificate: certificate)
    end

    def save_order_error(acme_order, api_order)
      log_error(api_order)

      return unless Feature.enabled?(:pages_letsencrypt_errors, pages_domain.project)

      pages_domain.assign_attributes(auto_ssl_failed: true)
      pages_domain.save!(validate: false)

      acme_order.destroy!

      NotificationService.new.pages_domain_auto_ssl_failed(pages_domain)
    end

    def log_error(api_order)
      Gitlab::AppLogger.error(
        message: "Failed to obtain Let's Encrypt certificate",
        acme_error: api_order.challenge_error,
        project_id: pages_domain.project_id,
        pages_domain: pages_domain.domain
      )
    rescue => e
      # getting authorizations is an additional network request which can raise errors
      Gitlab::ErrorTracking.track_exception(e)
    end
  end
end
View Lorry Controller Status