Run fails on prompt during certonly if certs are not yet due for renewal #81
Comments
|
There seems to be a specific problem with the config on the host above. On another host were we applied the same changes (from standalone to webroot), the puppet run works fine and it is not attempting to launch What might be specific about the other host is that at some point – IIRC when we added another domain as a SAN – letsencrypt decided to create new configuration files: root@loadbalancer:~# ls -l /etc/letsencrypt/renewal/
total 12
-rwxr-xr-x 1 root root 516 Nov 11 12:56 api.my.domain.tld-0001.conf
-rw-r--r-- 1 root root 864 Jan 30 10:49 api.my.domain.tld-0002.conf
-rwxr-xr-x 1 root root 496 Nov 6 22:46 api.my.domain.tld.confI don't know what caused it to do so and since this is a production site, I'm not really inclined to too much experimentation. OK, that last thing seems to be a bug in the letsencrypt-auto script that causes it to not interpret |
|
And that seems to be at least part of the problem. Another point is that it suddenly and for no obvious reason to me decided to use another domain from the array of domains passed to certonly as the first domain. |
bastelfreak
added a commit
that referenced
this issue
Feb 28, 2018
Fixes #81 added -n flag to certbot to run in unattended mode.
minorOffense
pushed a commit
to coldfrontlabs/puppet-letsencrypt
that referenced
this issue
May 17, 2019
minorOffense
added a commit
to coldfrontlabs/puppet-letsencrypt
that referenced
this issue
May 17, 2019
author Mathew Winstone <[email protected]> 1516893540 -0500 committer Mathew Winstone <[email protected]> 1558122751 -0400 parent 80d8513 author Mathew Winstone <[email protected]> 1516893540 -0500 committer Mathew Winstone <[email protected]> 1558122719 -0400 refac(fact) deprecated in favour of letsencrypt_directory feat(lookup) add custom lookup function refac(folders) reorganize to proper locations fix coding standards fix coding standards fix coding standards fix(spec) refac(condition) use normal unless Favor a normal unless-statement fix again fix(typo) bump inifile dependency to allow 2.x bump to lowest inifile version that supports puppet5 bump to lowest vcsrepo version that supports puppet5 modulesync 1.6.0 release 2.2.0 [blacksmith] Bump version to 2.2.1-rc0 OpenBSD support rake lint fixes use selector to determine group, via classifc fact_name modulesync 1.8.0 release 2.3.0 [blacksmith] Bump version to 2.3.1-rc0 Fixes voxpupuli#81 added -n flag to certbot to run in unattended mode. Changed the flag `-n` to `--non-interactive` Allow custom config dir; FreeBSD support * Adds a parameter `config_dir` to provide an absolute path to the configuration directory. * Defaults to '/etc/letsencrypt' except on FreeBSD, where it defaults to '/usr/local/etc/letsencrypt', as FreeBSD standard and expected by `py27-certbot`. modulesync 1.9.0 modulesync 1.9.2 drop EOL OSs; fix puppet version range Remove docker nodesets support dns-route53 plugin release 2.4.0 [blacksmith] Bump version to 2.4.1-rc0 modulesync 1.9.3 modulesync 1.9.4 modulesync 1.9.6 Fix cron environment leaking This commit moves the environment variable definition from the cron resource environment parameter to the renewal script. This ensure that environment variables aren't conflicting with other cronjobs. Fixes voxpupuliGH-125. allow puppetlabs/stdlib 5.x Add support for dns-google plugin support Migrate letsencrypt::config::ini helper to native Puppet 4 modulesync 2.0.0 Remove inline_template in favour of native Puppet code * Migrates all inline_template calls to Puppet native code, as this is recommended best practice * Changes the default value/data type of webroot_paths and additional_args to an Array instead of Optional[Array] * Adds a data type for the certificate plugins for better readability Allow additional domains to be added later This commit adds support for expansion/shrinking of an already existing certificate by defining a unique identifier (--cert-name) which maps to the Puppet resource title. By doing this, we can ensure that always all requested domains are contained in the certificate. Fixes voxpupuliGH-94. modulesync 2.2.0 delete unneeded coverage_spec.rb purge obsolete symlink setting in fixtures allow puppet 6.x add yumrepo_core module to fixtures add cron_core module to fixtures release 2.5.0 [blacksmith] Bump version to 2.5.1-rc0 Changed certonly::domains datatype to Array[String[1]] to accommodate wildcard domains Added *.example.com to spec test make the module compatible with FreeBSD As FreeBSD also has no `root` group, the only change I noticed would be necessary to successfully run this module on FreeBSD is the same like for OpenBSD. Added support for dns-cloudflare CertBot plugin. Add cron day of month parameter Use non-optional and strict data type for monthday param Specify min/max Integer value for cron_monthday param modulesync 2.3.1 Enable user to define cron time attributes instead of defaulting to random time modulesync 2.4.0 Cron should also run with space in certonly title Issue voxpupuli#91 reports that creating a letsencrypt::certonly resource with a title containing a space will create a cron entry that will never run. That's because it will create a cron entry like this: 10 22 * * * /cron_scripts_path/renew-title with space.sh That executes /cron_scripts_path/renew-title that obviously does not exist. When the full cron command is put in quotes, it will run as expected. Improve performance of unless Turns out, that calling certbot for every certificate resources takes ages on systems with a lot of certificates. Some comparison: certbot: ~0.7s openssl: ~0.01s use certbot repository declare ubuntu16.04 as supported OS add basics acceptance tests add ubuntu 18.04 as supported OS modulesync 2.5.0 bump lower puppet version from 4.10.0 to 5.5.8 fix fact scope; migrate tests to rspec-puppet-facts facts called with $facts fix rubocop migrate tests to rspec-puppet-facts increase spec coverage Move fact definitions to inside the context migrate FreeBSD tests to rspec-puppet-facts fix tests for correct FS paths cleanup spec files vcs method, bump version of certbot release 3.0.0 [blacksmith] Bump version to 3.0.1-rc0 Certonly: Ensure cron is absent if manage_cron is false Certonly: Removing cron script file if manage_cron is false Spec: Fixing certonly tests to manage cron script Certonly: Refactor manage_cron Boolean to ensure_cron Enum remove certonly acceptance test Fedora doesn't use EPEL for certbot/letsencrypt. Requested changes to simplify and follow preferred facts. modulesync 2.5.1 Fix exec onlyif logic This commit fixes the improved check logic introduces in 460a7b7. It ensure that the exec is actually triggered if the cert file doesn't exist. Move to script for domain validation Add Fedora to tested systems list. Add ability to control keysize. Default to 4096. Add missing rspec value Clean up some old Puppet 3 syntax Add support for plugin dns-rfc2136 Add support for wildcard certs Upgrade vcs version to 0.30.2 0.30.0 had a bug in combination with Pip 19.0.1 which made the installation fail. certbot/certbot#6692 Fixes voxpupuli#172. Fix for $live_path variable Certbot uses the "--cert-name" parameter as part of the path, not the first domain. This means the computed $live_path would be wrong if $domain[0] differs from $title. Rework letsencrypt::certonly to allow deprovisioning + Added $ensure attribute + Renamed $ensure_cron back to $manage_cron + Returned $manage_cron back to a Boolean value + Made execute of "letsencrypt certonly ${title}" conditional to $ensure == 'present' + Added cleanup of directory for domain certs when $ensure == 'absent' + Used global $ensure to signal desired state of cronjobs Tiny style tweak Add missing var doc in dns-rfc2136 Add support for certbot hooks Add single quotes around all domains names in shell commands Fixes voxpupuli#178 surfacing package_ensure in README modulesync 2.6.0 release 4.0.0 [blacksmith] Bump version to 4.0.1-rc0 modulesync 2.7.0 fix fix(docs): add basic documentation about facts and function Add sample output from facts Add notes on function usage Bump dependency, because of new major release fix(os): confine to *nix like systems fix(format): update rubocop violations fix again fix(typo) bump inifile dependency to allow 2.x bump to lowest inifile version that supports puppet5 bump to lowest vcsrepo version that supports puppet5 modulesync 1.6.0 release 2.2.0 [blacksmith] Bump version to 2.2.1-rc0 OpenBSD support rake lint fixes use selector to determine group, via classifc fact_name modulesync 1.8.0 release 2.3.0 [blacksmith] Bump version to 2.3.1-rc0 Fixes voxpupuli#81 added -n flag to certbot to run in unattended mode. Changed the flag `-n` to `--non-interactive` modulesync 1.9.2 drop EOL OSs; fix puppet version range Remove docker nodesets support dns-route53 plugin release 2.4.0 [blacksmith] Bump version to 2.4.1-rc0 modulesync 1.9.3 modulesync 1.9.4 modulesync 1.9.6 Fix cron environment leaking This commit moves the environment variable definition from the cron resource environment parameter to the renewal script. This ensure that environment variables aren't conflicting with other cronjobs. Fixes voxpupuliGH-125. allow puppetlabs/stdlib 5.x Add support for dns-google plugin support Migrate letsencrypt::config::ini helper to native Puppet 4 modulesync 2.0.0 Remove inline_template in favour of native Puppet code * Migrates all inline_template calls to Puppet native code, as this is recommended best practice * Changes the default value/data type of webroot_paths and additional_args to an Array instead of Optional[Array] * Adds a data type for the certificate plugins for better readability Allow additional domains to be added later This commit adds support for expansion/shrinking of an already existing certificate by defining a unique identifier (--cert-name) which maps to the Puppet resource title. By doing this, we can ensure that always all requested domains are contained in the certificate. Fixes voxpupuliGH-94. delete unneeded coverage_spec.rb purge obsolete symlink setting in fixtures allow puppet 6.x add yumrepo_core module to fixtures add cron_core module to fixtures release 2.5.0 [blacksmith] Bump version to 2.5.1-rc0 Changed certonly::domains datatype to Array[String[1]] to accommodate wildcard domains Added *.example.com to spec test make the module compatible with FreeBSD As FreeBSD also has no `root` group, the only change I noticed would be necessary to successfully run this module on FreeBSD is the same like for OpenBSD. Added support for dns-cloudflare CertBot plugin. Add cron day of month parameter Use non-optional and strict data type for monthday param Specify min/max Integer value for cron_monthday param modulesync 2.3.1 Enable user to define cron time attributes instead of defaulting to random time modulesync 2.4.0 Cron should also run with space in certonly title Issue voxpupuli#91 reports that creating a letsencrypt::certonly resource with a title containing a space will create a cron entry that will never run. That's because it will create a cron entry like this: 10 22 * * * /cron_scripts_path/renew-title with space.sh That executes /cron_scripts_path/renew-title that obviously does not exist. When the full cron command is put in quotes, it will run as expected. Improve performance of unless Turns out, that calling certbot for every certificate resources takes ages on systems with a lot of certificates. Some comparison: certbot: ~0.7s openssl: ~0.01s use certbot repository declare ubuntu16.04 as supported OS add basics acceptance tests add ubuntu 18.04 as supported OS modulesync 2.5.0 bump lower puppet version from 4.10.0 to 5.5.8 fix fact scope; migrate tests to rspec-puppet-facts facts called with $facts fix rubocop migrate tests to rspec-puppet-facts increase spec coverage Move fact definitions to inside the context migrate FreeBSD tests to rspec-puppet-facts fix tests for correct FS paths cleanup spec files vcs method, bump version of certbot release 3.0.0 [blacksmith] Bump version to 3.0.1-rc0 Certonly: Ensure cron is absent if manage_cron is false Certonly: Removing cron script file if manage_cron is false Spec: Fixing certonly tests to manage cron script Certonly: Refactor manage_cron Boolean to ensure_cron Enum remove certonly acceptance test Fedora doesn't use EPEL for certbot/letsencrypt. Requested changes to simplify and follow preferred facts. modulesync 2.5.1 Fix exec onlyif logic This commit fixes the improved check logic introduces in 460a7b7. It ensure that the exec is actually triggered if the cert file doesn't exist. Move to script for domain validation Add Fedora to tested systems list. Add ability to control keysize. Default to 4096. Add missing rspec value Clean up some old Puppet 3 syntax Add support for plugin dns-rfc2136 Add support for wildcard certs Upgrade vcs version to 0.30.2 0.30.0 had a bug in combination with Pip 19.0.1 which made the installation fail. certbot/certbot#6692 Fixes voxpupuli#172. Fix for $live_path variable Certbot uses the "--cert-name" parameter as part of the path, not the first domain. This means the computed $live_path would be wrong if $domain[0] differs from $title. Rework letsencrypt::certonly to allow deprovisioning + Added $ensure attribute + Renamed $ensure_cron back to $manage_cron + Returned $manage_cron back to a Boolean value + Made execute of "letsencrypt certonly ${title}" conditional to $ensure == 'present' + Added cleanup of directory for domain certs when $ensure == 'absent' + Used global $ensure to signal desired state of cronjobs Tiny style tweak Add missing var doc in dns-rfc2136 Add support for certbot hooks Add single quotes around all domains names in shell commands Fixes voxpupuli#178 surfacing package_ensure in README modulesync 2.6.0 release 4.0.0 [blacksmith] Bump version to 4.0.1-rc0 modulesync 2.7.0 fix fix(docs): add basic documentation about facts and function Add sample output from facts Add notes on function usage Bump dependency, because of new major release fix(os): confine to *nix like systems fix(format): update rubocop violations
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
We changed the certonly plugin from standalone to webroot and the module seems to be trying to regenerate the certs during the puppet run.
However, since the certificates already exist, letsencrypt-auto is prompting for user input, upon which the puppet run fails.
Running the script manually and selecting option 1 (keep existing certificates) did not improve the situation. How does the puppet module know whether to generate certificates or only run the renew cron job but not the certonly script?
What are you seeing
What behaviour did you expect instead
letsencrypt-auto certonly should not be run or should interact with the prompt.
Output log
See above
The text was updated successfully, but these errors were encountered: