Acmetool performs `want` while Nginx is down

[emcniece]

acmetool want [domain] runs without checking if the domain is accessible. This results in an LE request failure:

DEBU[0180] Running check command '[ -d /etc/nginx/certs/docker.limbicmedia.ca ] && exit 1 || exit 0'
INFO[0180] Executing notify command 'acmetool want docker.limbicmedia.ca'
INFO[0181] [acmetool want docker.limbicmedia.ca]: "20170311005236 [ERROR] acme.storageops: could not obtain authorization for docker.limbicmedia.ca: failed all combinations"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "20170311005236 [ERROR] acme.storageops: Target(docker.limbicmedia.ca;https://acme-staging.api.letsencrypt.org/directory;0): failed to request certificate: failed all combinations"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "20170311005236 [ERROR] acme.storageops: error while processing targets: the following errors occurred:"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "error satisfying Target(docker.limbicmedia.ca;https://acme-staging.api.letsencrypt.org/directory;0): failed all combinations"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "20170311005236 [ERROR] acme.storageops: failed to reconcile: the following errors occurred:"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "error satisfying Target(docker.limbicmedia.ca;https://acme-staging.api.letsencrypt.org/directory;0): failed all combinations"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "20170311005236 [CRITICAL] acmetool: fatal: reconcile: the following errors occurred:"
INFO[0181] [acmetool want docker.limbicmedia.ca]: "error satisfying Target(docker.limbicmedia.ca;https://acme-staging.api.letsencrypt.org/directory;0): failed all combinations"
DEBU[0181] Processing template /etc/rancher-gen/default/nginx.tmpl for destination /etc/nginx/conf.d/nginx.conf

It's not clear if this counts as a request against the LE rate limits, but it would be good to handle the error. Potential solutions might be to make a curl [whatever] && acmetool want [domain], or to handle the output of rgon-exec differently.

[emcniece]

Required: CausticLab/rgon-exec#4

[Munsio]

I think this issue is still present? Currently the acmetool rancher-gen block only checks if there is already an certificate file present for the domain - maybe we can also check if nginx -t runs through like it should

[Ramblurr]

Is this related?

If I have a service that has the rgon labels defined, but no containers exist for the service, then an empty upstream block is created in the nginx config, which prevents nginx from starting up.

This can happen if you create a service but don't start it.

Seems that rgon should check that the upstream server ip is non-empty.