From 3d5d2779d284af52c23af69ae4fc1a99e7ecdcbc Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 18 Jun 2021 08:48:35 -0700
Subject: [PATCH] Be explicit about server used in acme.sh

Acme.sh is updating their defaults to use zerossl instead of
letsencrypt [0]. This has resulted in errors like:

  Can not resolve _eab_id

When our runs of acme.sh attempt to communicate with zerossl. While the
default change isn't supposed to happen until August 1 we hit it early
because we consume the dev branch of acme.sh.

We avoid this entirely by being explicit about the server to communicate
to in our acme.sh driver script. We explicitly set --server to
letsencrypt.

Note that a followup should likely update our use of --staging to set
--server letsencrypt_test as --staging enforces their defaults as well.

[0] https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL

Change-Id: Ia6a8da80869f1c4ff3240712bcd320bfc6f29e93
---
 .../letsencrypt-acme-sh-install/files/driver.sh    | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
index d8576f85c9..68035ccd7e 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
+++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
@@ -7,9 +7,15 @@ CHALLENGE_ALIAS_DOMAIN=${CHALLENGE_ALIAS_DOMAIN:-acme.opendev.org.}
 LETSENCRYPT_STAGING=${LETSENCRYPT_STAGING:-0}
 LOG_FILE=${LOG_FILE:-/var/log/acme.sh/acme.sh.log}
 
-STAGING=""
+SERVER=""
 if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
-    STAGING="--staging"
+    # TODO acme.sh doesn't let us specify staging and also set the server.
+    # If --staging is passed then the built in default is used. Can/should
+    # we change this to --server letsencrypt_test?
+    SERVER="--staging"
+    #SERVER="--server letsencrypt_test"
+else
+    SERVER="--server letsencrypt"
 fi
 
 # Ensure we don't write out files as world-readable
@@ -29,7 +35,7 @@ if [[ ${1} == "issue" ]]; then
     # Ansible then parses this back to a dict.
     shift;
     for arg in "$@"; do
-        $ACME_SH ${STAGING} \
+        $ACME_SH ${SERVER} \
             --cert-home ${CERT_HOME} \
             --no-color \
             --yes-I-know-dns-manual-mode-enough-go-ahead-please \
@@ -55,7 +61,7 @@ elif [[ ${1} == "renew" ]]; then
         # when TXT records have been installed for this certificate;
         # i.e. we will never run this renewal unless it is actually
         # required.
-        $ACME_SH ${STAGING} \
+        $ACME_SH ${SERVER} \
             --cert-home ${CERT_HOME} \
             --no-color \
             --yes-I-know-dns-manual-mode-enough-go-ahead-please \