From 847a10758d56dbadac963d99b5d1c92d93011258 Mon Sep 17 00:00:00 2001 From: Iristyle Date: Tue, 30 Apr 2019 10:19:54 -0700 Subject: [PATCH] (maint) Add retries to curl calls in ssl.sh - Adds 5 retries (including connection refused) at 2 second intervals to the curl commands being used to download the CA and handle other cert related negotiation. - We're experiencing issues under LCOW where DNS resolution works in early waiter scripts, but subsequently fails when handling certs. This may be due to an unresolved bug in libnetwork OR it may be due to the fact that the Docker DNS resolver is not designed to handle heavy loads and may intermittently fail requests. --- shared/ssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/ssl.sh b/shared/ssl.sh index 2ab63501..b89844cf 100755 --- a/shared/ssl.sh +++ b/shared/ssl.sh @@ -62,7 +62,7 @@ CRLFILE="${SSLDIR}/crl.pem" CA="https://${PUPPETSERVER_HOSTNAME}:8140/puppet-ca/v1" CERTSUBJECT="/CN=${CERTNAME}" CERTHEADER="-----BEGIN CERTIFICATE-----" -CURLFLAGS="--silent --show-error --cacert ${CACERTFILE}" +CURLFLAGS="--silent --show-error --cacert ${CACERTFILE} --retry 5 --retry-connrefused --retry-delay 2" ### Print configuration for troubleshooting msg "Using configuration values:" @@ -73,7 +73,7 @@ msg "* WAITFORCERT: '${WAITFORCERT}' seconds" ### Get the CA certificate for use with subsequent requests ### Fail-fast if curl errors or the CA certificate can't be parsed -curl --insecure --silent --show-error --output "${CACERTFILE}" "${CA}/certificate/ca" +curl --insecure --silent --show-error --output "${CACERTFILE}" --retry 5 --retry-connrefused --retry-delay 2 "${CA}/certificate/ca" if [ $? -ne 0 ]; then error "cannot reach CA host '${PUPPETSERVER_HOSTNAME}'" elif ! openssl x509 -subject -issuer -noout -in "${CACERTFILE}"; then