Merge branch 'pages-ssl-fast-obtain' into 'master'

Speed up obtaining Let's Encrypt certificates See merge request gitlab-org/gitlab-ce!29675
2019-06-26 11:47:22 +00:00 · 2019-06-26 11:47:22 +00:00 · beb1c9aa85
parent dfc1f1dd66 7f85e92ff1
commit beb1c9aa85
3 changed files with 21 additions and 3 deletions
--- a/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
+++ b/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
@ -2,6 +2,14 @@

 module PagesDomains
  class ObtainLetsEncryptCertificateService
+    # time for processing validation requests for acme challenges
+    # 5-15 seconds is usually enough
+    CHALLENGE_PROCESSING_DELAY = 1.minute.freeze
+
+    # time LetsEncrypt ACME server needs to generate the certificate
+    # no particular SLA, usually takes 10-15 seconds
+    CERTIFICATE_PROCESSING_DELAY = 1.minute.freeze
+
    attr_reader :pages_domain

    def initialize(pages_domain)
@ -14,6 +22,7 @@ module PagesDomains

      unless acme_order
        ::PagesDomains::CreateAcmeOrderService.new(pages_domain).execute
+        PagesDomainSslRenewalWorker.perform_in(CHALLENGE_PROCESSING_DELAY, pages_domain.id)
        return
      end

@ -23,6 +32,7 @@ module PagesDomains
      case api_order.status
      when 'ready'
        api_order.request_certificate(private_key: acme_order.private_key, domain: pages_domain.domain)
+        PagesDomainSslRenewalWorker.perform_in(CERTIFICATE_PROCESSING_DELAY, pages_domain.id)
      when 'valid'
        save_certificate(acme_order.private_key, api_order)
        acme_order.destroy!
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@ -368,7 +368,7 @@ Settings.cron_jobs['pages_domain_removal_cron_worker']['cron'] ||= '47 0 * * *'
 Settings.cron_jobs['pages_domain_removal_cron_worker']['job_class'] = 'PagesDomainRemovalCronWorker'

 Settings.cron_jobs['pages_domain_ssl_renewal_cron_worker'] ||= Settingslogic.new({})
-Settings.cron_jobs['pages_domain_ssl_renewal_cron_worker']['cron'] ||= '*/5 * * * *'
+Settings.cron_jobs['pages_domain_ssl_renewal_cron_worker']['cron'] ||= '*/10 * * * *'
 Settings.cron_jobs['pages_domain_ssl_renewal_cron_worker']['job_class'] = 'PagesDomainSslRenewalCronWorker'

 Settings.cron_jobs['issue_due_scheduler_worker'] ||= Settingslogic.new({})
--- a/spec/services/pages_domains/obtain_lets_encrypt_certificate_service_spec.rb
+++ b/spec/services/pages_domains/obtain_lets_encrypt_certificate_service_spec.rb
@ -34,8 +34,12 @@ describe PagesDomains::ObtainLetsEncryptCertificateService do
  end

  context 'when there is no acme order' do
-    it 'creates acme order' do
+    it 'creates acme order and schedules next step' do
      expect_to_create_acme_challenge
+      expect(PagesDomainSslRenewalWorker).to(
+        receive(:perform_in).with(described_class::CHALLENGE_PROCESSING_DELAY, pages_domain.id)
+          .and_return(nil).once
+      )

      service.execute
    end
@ -82,8 +86,12 @@ describe PagesDomains::ObtainLetsEncryptCertificateService do
      stub_lets_encrypt_order(existing_order.url, 'ready')
    end

-    it 'request certificate' do
+    it 'request certificate and schedules next step' do
      expect(api_order).to receive(:request_certificate).and_call_original
+      expect(PagesDomainSslRenewalWorker).to(
+        receive(:perform_in).with(described_class::CERTIFICATE_PROCESSING_DELAY, pages_domain.id)
+          .and_return(nil).once
+      )

      service.execute
    end