GNU bug report logs - #46961
Nginx and certbot cervices don't play well togther

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Clément Lassieur <clement <at> lassieur.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#46961: closed (Nginx and certbot cervices don't play well
 togther)
Date: Wed, 31 Jan 2024 15:59:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Wed, 31 Jan 2024 16:58:07 +0100
with message-id <87sf2debqo.fsf <at> lassieur.org>
and subject line Re: bug#46961: Nginx and certbot cervices don't play well togther
has caused the debbugs.gnu.org bug report #46961,
regarding Nginx and certbot cervices don't play well togther
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
46961: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Brice Waegeneire <brice <at> waegenei.re>
To: bug-guix <at> gnu.org 
Cc: guix-devel <at> gnu.org
Subject: Nginx and certbot cervices don't play well togther
Date: Sat, 06 Mar 2021 09:15:04 +0100

Hello Guix,

After an suggestion from Tobias to give a try at forcing HTTPS for
Guix's websites on berlin, I had a go at it but it was more complex that
what I was expecting.  Looking deeper at nginx and certbot services it
appear both services don't play that well together, requering a inital
dance when deploying a new HTTPS virtual server. As explained in #36389¹
you need to:
« - run system configuration with just the certbot service
- use certbot to generate your initial certificates
- reconfigure with additional nginx server configuration, pointing to
  the SSL certificates created by certbot »

Indeed, with an operating-system continaing the following services it's
impossible to sart Nginx and Certbot at once as one would expect:

--8<---------------cut here---------------start------------->8---
(service nginx-service-type)
(service php-fpm-service-type)

(service certbot-service-type
         (certbot-configuration
           (certificates
             (list (certificate-configuration
                     (domains '("test.sama.re"))
                     (deploy-hook
                       (program-file
                         "nginx-deploy-hook"
                         #~(let ((pid (call-with-input-file "/var/run/nginx.pid"
                                                            read)))
                             (kill pid SIGHUP)))))))))

(cat-avatar-generator-service
  #:configuration
  (nginx-server-configuration
    (listen '("443 ssl"))
    (server-name '("test.sama.re"))
    (ssl-certificate
      "/etc/letsencrypt/live/test.sama.re/fullchain.pem")
    (ssl-certificate-key
      "/etc/letsencrypt/live/test.sama.re/privkey.pem")))
--8<---------------cut here---------------end--------------->8---

Here is the error from reconfiguring the system:

--8<---------------cut here---------------start------------->8---
# guix system reconfigure /etc/config.sm
[...]
building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.drv...
making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current system...
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc...
/var/lib/certbot/renew-certificates may need to be run
creating nginx log directory '/var/log/nginx'
creating nginx run directory '/var/run/nginx'
creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}_temp'
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf test failed
`/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricewge' -> `/etc/ssh/authorized_keys.d/bricewge'
The following derivation will be built:
   /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv

building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv...
guix system: bootloader successfully installed on '/dev/sda'
The following derivation will be built:
   /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv

building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv...
shepherd: Removing service 'dbus-system'...
shepherd: Service dbus-system has been stopped.
shepherd: Done.
shepherd: Service host-name has been started.
shepherd: Service user-homes has been started.
shepherd: Service host-name has been started.
shepherd: Service term-auto could not be started.
shepherd: Service php-fpm has been started.
guix system: warning: exception caught while executing 'start' on service 'nginx':
Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/store/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"-c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/var/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'.
guix system: warning: some services could not be upgraded
hint: To allow changes to all the system services to take effect, you will need to reboot.
--8<---------------cut here---------------end--------------->8---

What happen is Nginx won't start because the certficate related files
present in it's configuration doesn't exist and we can't get a Let's
Encrypt certificate from a HTTP-01 challenge without that web server
running.  NixOS broke that chicken and egg problem by generating a
self-signed certificate first, after that starting nginx, then
requesting a valid Lets' Encrypt certificate and finally reloading
Nginx.  That way we end up with a Nginx server using Let's Encrypt
certificate with no more that a simple system reconfiguration.  Note
that, the initial self-signed certificate will need to be at the path
were certbot will put it's own certificate.

WDYT?

¹ https://bugs.gnu.org/36389

Cheers,
- Brice

[Message part 3 (message/rfc822, inline)]

From: Clément Lassieur <clement <at> lassieur.org>
To: Carlo Zancanaro <carlo <at> zancanaro.id.au>
Cc: 46961-done <at> debbugs.gnu.org
Subject: Re: bug#46961: Nginx and certbot cervices don't play well togther
Date: Wed, 31 Jan 2024 16:58:07 +0100

On Wed, Jan 31 2024, Carlo Zancanaro wrote:

>>> +                          (< attempt 12)) ; 12 * 10 seconds = 2 minutes
>>                                                                  ^------
>> This comment is not true because certbot takes time to execute (around 15s
>> on my vm).  I don't think there is a need to be that precise.
>
> I haven't extracted/named the max-attempts value, but I have removed the
> comments that imply that the time frame is bounded.

Ok

>> Also could you update the example in the docs?
>
> I have removed the %certbot-deploy-hook in the example in the manual.
>
>> ... However, we could add a nginx-service-type and a
>> dhcp-client-service-type so that people have an idea of what the minimal
>> config is, maybe like I did in my first review:
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23.
>
> I have not added this. I understand the desire, but I'm wary of providing an
> example that's "too involved". The current example demonstrates a minimal
> config of certbot itself. I think you are looking to include an example of a
> minimal system that hosts a website using certbot provided certificates. I
> don't know where an example like that belongs, but I'm not yet convinced it
> belongs in the certbot service documentation.

Sounds good

Pushed, thank you!
Clément

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.