Fix various Let's Encrypt non-staging issues

- Prod ACME challenges were failing due to improper stage check cleanup
- Fix nginx and compose configuration errors for prod certs
- Migrate Docker install on Ubuntu 18.04 to stable channel
- Update LIS

convoy/fleet.py

@@ -120,10 +120,10 @@ _LIS_PACKAGE = {
     # https://aka.ms/lis
     'url': (
         'http://download.microsoft.com/download/6/8/F/'
-        '68FE11B8-FAA4-4F8D-8C7D-74DA7F2CFC8C/lis-rpms-4.2.5.tar.gz'
+        '68FE11B8-FAA4-4F8D-8C7D-74DA7F2CFC8C/lis-rpms-4.2.5-1.tar.gz'
     ),
     'sha256': (
-        '90d802ef27bf1977444d60b2473bd0c3cb9188735a2bceaa6d8c955f60811d40'
+        'cedf8b2621ebc81fba4a324f93e14c56e946cb65985e3f51de6a6644a9dc62df'
     ),
     'target': 'lis.tar.gz',
     'intermediate': 'lis_compact.tar',

heimdall/docker-compose-nonginx.yml

@@ -23,7 +23,7 @@ services:
       - /etc/heimdall.json
 
   prometheus:
-    image: prom/prometheus:v2.2.1
+    image: prom/prometheus:v2.3.1
     container_name: prometheus
     restart: unless-stopped
     ports:
@@ -42,7 +42,7 @@ services:
       - "--web.enable-lifecycle"
 
   grafana:
-    image: grafana/grafana:5.1.3
+    image: grafana/grafana:5.2.0
     container_name: grafana
     restart: unless-stopped
     ports:

heimdall/docker-compose.yml

@@ -38,10 +38,10 @@ services:
       - /var/batch-shipyard/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
       - /var/batch-shipyard/letsencrypt/html:/usr/share/nginx/html
       - /var/batch-shipyard/nginx/dhparam/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
-      - /var/batch-shipyard/letsencrypt/etc/{LE_CERT_DIR}:/etc/letsencrypt/live
+      - /var/batch-shipyard/letsencrypt/etc:/etc/letsencrypt
 
   prometheus:
-    image: prom/prometheus:v2.2.1
+    image: prom/prometheus:v2.3.1
     container_name: prometheus
     restart: unless-stopped
     ports:
@@ -60,7 +60,7 @@ services:
       - "--web.enable-lifecycle"
 
   grafana:
-    image: grafana/grafana:5.1.3
+    image: grafana/grafana:5.2.0
     container_name: grafana
     restart: unless-stopped
     ports:

heimdall/nginx.conf

@@ -7,8 +7,8 @@ server {
 
     server_tokens off;
 
-    ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain{LE_CERT_SUFFIX}.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey{LE_CERT_SUFFIX}.pem;
+    ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
 
     ssl_buffer_size 8k;
 
@@ -54,8 +54,8 @@ server {
 
     server_tokens off;
 
-    ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain{LE_CERT_SUFFIX}.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey{LE_CERT_SUFFIX}.pem;
+    ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
 
     ssl_buffer_size 8k;
 

scripts/shipyard_monitoring_bootstrap.sh

@@ -6,10 +6,9 @@ set -e
 set -o pipefail
 
 # version consts
-DOCKER_CE_VERSION_DEBIAN=18.05.0
+DOCKER_CE_VERSION_DEBIAN=18.03.1
 
 # consts
-# TODO switch version back to stable
 DOCKER_CE_PACKAGE_DEBIAN="docker-ce=${DOCKER_CE_VERSION_DEBIAN}~ce~3-0~"
 SHIPYARD_VAR_DIR=/var/batch-shipyard
 SHIPYARD_CONF_FILE=${SHIPYARD_VAR_DIR}/heimdall.json
@@ -282,8 +281,7 @@ install_docker_host_engine() {
         # add gpgkey for repo
         add_repo "$gpgkey"
         # add repo
-        # TODO switch to stable once ready
-        add-apt-repository "deb [arch=amd64] $repo $(lsb_release -cs) edge"
+        add-apt-repository "deb [arch=amd64] $repo $(lsb_release -cs) stable"
     else
         add_repo "$repo"
     fi
@@ -311,11 +309,6 @@ setup_docker_compose_systemd() {
     # substitute LE/fqdn vars
     if [ "$letsencrypt" -eq 1 ]; then
         sed -i "s/{GF_SERVER_DOMAIN}/- GF_SERVER_DOMAIN=$fqdn/g" /etc/docker/compose/batch-shipyard-monitoring/docker-compose.yml
-        if [ "$letsencrypt_staging" -eq 1 ]; then
-            sed -i "s/{LE_CERT_DIR}/archive/g" /etc/docker/compose/batch-shipyard-monitoring/docker-compose.yml
-        else
-            sed -i "s/{LE_CERT_DIR}/live/g" /etc/docker/compose/batch-shipyard-monitoring/docker-compose.yml
-        fi
     fi
     # substitute batch shipyard version
     sed -i "s/{BATCH_SHIPYARD_VERSION}/$shipyardversion/g" /etc/docker/compose/batch-shipyard-monitoring/docker-compose.yml
@@ -356,6 +349,20 @@ run_nginx_acme_challenge() {
     fi
     log INFO "Configuring letsencrypt"
     mkdir -p ${LETSENCRYPT_VAR_DIR}/html
+cat << EOF > ${LETSENCRYPT_VAR_DIR}/html/index.html
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <title>Temporary Let's Encrypt Challenge Site</title>
+</head>
+<body>
+  <p>LE</p>
+</body>
+</html>
+EOF
+    chmod 775 ${LETSENCRYPT_VAR_DIR}/html
+    chmod 664 ${LETSENCRYPT_VAR_DIR}/html/index.html
     mkdir -p ${NGINX_VAR_DIR}
 cat << EOF > ${NGINX_VAR_DIR}/nginx.conf
 server {
@@ -404,7 +411,9 @@ acquire_letsencrypt_certs() {
         --register-unsafely-without-email --agree-tos --staging
     # execute letsencrypt prod
     if [ "$letsencrypt_staging" -eq 0 ]; then
-        rm -rf ${LETSENCRYPT_VAR_DIR}
+        rm -rf ${LETSENCRYPT_VAR_DIR:?}/etc
+        rm -rf ${LETSENCRYPT_VAR_DIR:?}/var/lib
+        rm -rf ${LETSENCRYPT_VAR_DIR:?}/var/log
         mkdir -p ${LETSENCRYPT_VAR_DIR}/etc
         mkdir -p ${LETSENCRYPT_VAR_DIR}/var/lib
         mkdir -p ${LETSENCRYPT_VAR_DIR}/var/log
@@ -439,7 +448,10 @@ docker run --rm \
     -v ${LETSENCRYPT_VAR_DIR}/var/lib:/var/lib/letsencrypt \
     -v ${LETSENCRYPT_VAR_DIR}/html:/data/letsencrypt \
     -v ${LETSENCRYPT_VAR_DIR}/var/log:/var/log/letsencrypt \
-    certbot/certbot renew $staging
+    certbot/certbot renew \
+    --webroot -weebroot-path=/data/letsencrypt $staging
+
+docker kill --signal=HUP nginx
 EOF
     chmod 755 /etc/cron.daily/certbot-renew
     log INFO "Cert renewal add to crontab"
@@ -456,12 +468,6 @@ configure_nginx_with_certs() {
     cp nginx.conf ${NGINX_VAR_DIR}/
     # substitute fqdn
     sed -i "s/{FQDN}/$fqdn/g" ${NGINX_VAR_DIR}/nginx.conf
-    # substitute le cert suffix
-    if [ "$letsencrypt_staging" -eq 1 ]; then
-        sed -i "s/{LE_CERT_SUFFIX}/1/g" ${NGINX_VAR_DIR}/nginx.conf
-    else
-        sed -i "s/{LE_CERT_SUFFIX}//g" ${NGINX_VAR_DIR}/nginx.conf
-    fi
     # substitute resolver
     resolver=$(grep '^nameserver ' /etc/resolv.conf | cut -d' ' -f 2)
     sed -i "s/{RESOLVER}/$resolver/g" ${NGINX_VAR_DIR}/nginx.conf