Attempt (yet again) to get the script to run consistently

- Switched to a forever-running script in `run`
- bump the build base image
- bump cryptography to 41.0.5
- bump certbot to 2.7.4

iot-certbot/CHANGELOG.md

@@ -1,5 +1,12 @@
 <!-- https://developers.home-assistant.io/docs/add-ons/presentation#keeping-a-changelog -->
 
+## 1.1.1
+
+- Switched to a forever-running script in `run`
+- bump the build base image
+- bump cryptography to 41.0.5
+- bump certbot to 2.7.4
+
 ## 1.1.0
 
 Stop trying to run periodically, depend on automations

iot-certbot/build.yaml

@@ -1,10 +1,15 @@
 ---
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.9-alpine3.14
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.9-alpine3.14
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.9-alpine3.14
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.9-alpine3.14
-  i386: ghcr.io/home-assistant/i386-base-python:3.9-alpine3.14
+  aarch64: "ghcr.io/home-assistant/aarch64-base:3.15"
+  amd64: "ghcr.io/home-assistant/amd64-base:3.15"
+  armhf: "ghcr.io/home-assistant/armhf-base:3.15"
+  armv7: "ghcr.io/home-assistant/armv7-base:3.15"
+  i386: "ghcr.io/home-assistant/i386-base:3.15"
+labels:
+  org.opencontainers.image.title: "Home Assistant Add-on: AWS IOT Certbot"
+  org.opencontainers.image.description: "Use AWS IOT and LetsEncrpyt for DNS challenge certs"
+  org.opencontainers.image.source: "https://github.com/offbyone/homeassistant-addons"
+  org.opencontainers.image.licenses: "BSD"
 args:
-  CRYPTOGRAPHY_VERSION: 39.0.0
-  CERTBOT_VERSION: 2.1.0
+  CRYPTOGRAPHY_VERSION: 41.0.5
+  CERTBOT_VERSION: 2.7.4

iot-certbot/rootfs/etc/services.d/lets-encrypt/finish

@@ -1,4 +1,5 @@
 #!/usr/bin/env bashio
+# -*- shell-script -*-
 # ==============================================================================
 # Take down the S6 supervision tree when letsencrypt fails
 # s6-overlay docs: https://github.com/just-containers/s6-overlay

iot-certbot/rootfs/etc/services.d/lets-encrypt/run

@@ -1,58 +1,10 @@
 #!/usr/bin/with-contenv bashio
+# -*- shell-script -*-
 # ==============================================================================
-# Start sshd service if enabled
+# Re-run the renew script forever, until the addon is stopped. Hourly ought to
+# be good enough.
 # ==============================================================================
-CERT_DIR=/data/letsencrypt
-WORK_DIR=/data/workdir
-PROVIDER_ARGUMENTS=()
-ACME_CUSTOM_SERVER_ARGUMENTS=()
-
-EMAIL=$(bashio::config 'email')
-DOMAINS=$(bashio::config 'domains')
-KEYFILE=$(bashio::config 'keyfile')
-CERTFILE=$(bashio::config 'certfile')
-ACME_SERVER=$(bashio::config 'acme_server')
-ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert')
-
-PROPAGATION_SECONDS=60
-if bashio::config.exists 'dns.propagation_seconds'; then
-    PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')"
-fi
-bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}"
-
-# ensure our current credentials are up to date
-/opt/iot/bin/update-credentials.sh
-
-# Source our current credentials
-AWS_CONFIG_FILE=/opt/iot/credentials/default
-export AWS_CONFIG_FILE
-PROVIDER_ARGUMENTS+=("--dns-route53")
-
-if bashio::config.has_value 'acme_server' ; then
-    ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}")
-
-    if bashio::config.has_value 'acme_root_ca_cert'; then
-      echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt
-      # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert
-      export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt
-    fi
-fi
-
-# Gather all domains into a plaintext file
-DOMAIN_ARR=()
-for line in $DOMAINS; do
-    DOMAIN_ARR+=(-d "$line")
+while true; do
+  /opt/letsencrypt/bin/renew || bashio::log.error "Most recent letsencrypt run failed; check your logs"
+  sleep 3600
 done
-echo "$DOMAINS" > /data/domains.gen
-
-certbot certonly --non-interactive --keep-until-expiring --expand \
-    --email "$EMAIL" --agree-tos \
-    --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
-    --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
-    --preferred-chain "ISRG Root X1"
-
-# Get the last modified cert directory and copy the cert and private key to store
-# shellcheck disable=SC2012
-CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)"
-cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE"
-cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE"

iot-certbot/rootfs/opt/letsencrypt/bin/renew

@@ -0,0 +1,59 @@
+#!/usr/bin/with-contenv bashio
+# -*- shell-script -*-
+# ==============================================================================
+# Start sshd service if enabled
+# ==============================================================================
+CERT_DIR=/data/letsencrypt
+WORK_DIR=/data/workdir
+PROVIDER_ARGUMENTS=()
+ACME_CUSTOM_SERVER_ARGUMENTS=()
+
+EMAIL=$(bashio::config 'email')
+DOMAINS=$(bashio::config 'domains')
+KEYFILE=$(bashio::config 'keyfile')
+CERTFILE=$(bashio::config 'certfile')
+ACME_SERVER=$(bashio::config 'acme_server')
+ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert')
+
+PROPAGATION_SECONDS=60
+if bashio::config.exists 'dns.propagation_seconds'; then
+    PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')"
+fi
+bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}"
+
+# ensure our current credentials are up to date
+/opt/iot/bin/update-credentials.sh
+
+# Source our current credentials
+AWS_CONFIG_FILE=/opt/iot/credentials/default
+export AWS_CONFIG_FILE
+PROVIDER_ARGUMENTS+=("--dns-route53")
+
+if bashio::config.has_value 'acme_server' ; then
+    ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}")
+
+    if bashio::config.has_value 'acme_root_ca_cert'; then
+      echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt
+      # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert
+      export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt
+    fi
+fi
+
+# Gather all domains into a plaintext file
+DOMAIN_ARR=()
+for line in $DOMAINS; do
+    DOMAIN_ARR+=(-d "$line")
+done
+echo "$DOMAINS" > /data/domains.gen
+
+certbot certonly --non-interactive --keep-until-expiring --expand \
+    --email "$EMAIL" --agree-tos \
+    --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
+    --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
+    --preferred-chain "ISRG Root X1"
+
+# Get the last modified cert directory and copy the cert and private key to store
+# shellcheck disable=SC2012
+CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)"
+cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE"
+cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE"

iot-certbot/test/.gitignore

@@ -0,0 +1,4 @@
+config/*
+data/*
+ssl/*
+!.gitignore

iot-certbot/test/README.md

@@ -0,0 +1,16 @@
+# Test data for the container.
+
+This directory can be used to provide the necessary set of mounts for the container to act "home-assistant-ish".
+
+Here's a shell invocation that runs this container:
+
+``` shellsession
+docker run --rm -it \
+    -v (pwd)/test/ssl:/ssl \
+    -v (pwd)/test/data:/data \
+    -v (pwd)/test/cache:/tmp/.bashio/ \
+    -v (pwd)/test/config:/config \
+    --name iot-certbot local/iot_certbot
+```
+
+You should set up the necessary addon config in `test/cache` (there's an example in there that I have _not_ done the necessary work to correct, sorry :( )

iot-certbot/test/cache/addons.self.options.config.cache

@@ -0,0 +1,5 @@
+{
+  "email": "le-iot-ha-addon-dev@example.com",
+  "domains": ["a.b.c"],
+  "acme_server": "https://acme-staging-v02.api.letsencrypt.org/directory"
+}