GNU bug report logs - #46961
Nginx and certbot cervices don't play well togther

Previous Next

Package: guix;

Reported by: Brice Waegeneire <brice <at> waegenei.re>

Date: Sat, 6 Mar 2021 08:16:02 UTC

Severity: normal

Done: Clément Lassieur <clement <at> lassieur.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Brice Waegeneire <brice <at> waegenei.re>
Subject: bug#46961: closed (Re: bug#46961: Nginx and certbot cervices
 don't play well togther)
Date: Wed, 31 Jan 2024 15:59:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#46961: Nginx and certbot cervices don't play well togther

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 46961 <at> debbugs.gnu.org.

-- 
46961: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Clément Lassieur <clement <at> lassieur.org>
To: Carlo Zancanaro <carlo <at> zancanaro.id.au>
Cc: 46961-done <at> debbugs.gnu.org
Subject: Re: bug#46961: Nginx and certbot cervices don't play well togther
Date: Wed, 31 Jan 2024 16:58:07 +0100

On Wed, Jan 31 2024, Carlo Zancanaro wrote:

>>> +                          (< attempt 12)) ; 12 * 10 seconds = 2 minutes
>>                                                                  ^------
>> This comment is not true because certbot takes time to execute (around 15s
>> on my vm).  I don't think there is a need to be that precise.
>
> I haven't extracted/named the max-attempts value, but I have removed the
> comments that imply that the time frame is bounded.

Ok

>> Also could you update the example in the docs?
>
> I have removed the %certbot-deploy-hook in the example in the manual.
>
>> ... However, we could add a nginx-service-type and a
>> dhcp-client-service-type so that people have an idea of what the minimal
>> config is, maybe like I did in my first review:
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23.
>
> I have not added this. I understand the desire, but I'm wary of providing an
> example that's "too involved". The current example demonstrates a minimal
> config of certbot itself. I think you are looking to include an example of a
> minimal system that hosts a website using certbot provided certificates. I
> don't know where an example like that belongs, but I'm not yet convinced it
> belongs in the certbot service documentation.

Sounds good

Pushed, thank you!
Clément


[Message part 3 (message/rfc822, inline)]
From: Brice Waegeneire <brice <at> waegenei.re>
To: bug-guix <at> gnu.org 
Cc: guix-devel <at> gnu.org
Subject: Nginx and certbot cervices don't play well togther
Date: Sat, 06 Mar 2021 09:15:04 +0100

Hello Guix,

After an suggestion from Tobias to give a try at forcing HTTPS for
Guix's websites on berlin, I had a go at it but it was more complex that
what I was expecting.  Looking deeper at nginx and certbot services it
appear both services don't play that well together, requering a inital
dance when deploying a new HTTPS virtual server. As explained in #36389¹
you need to:
« - run system configuration with just the certbot service
- use certbot to generate your initial certificates
- reconfigure with additional nginx server configuration, pointing to
  the SSL certificates created by certbot »

Indeed, with an operating-system continaing the following services it's
impossible to sart Nginx and Certbot at once as one would expect:

--8<---------------cut here---------------start------------->8---
(service nginx-service-type)
(service php-fpm-service-type)

(service certbot-service-type
         (certbot-configuration
           (certificates
             (list (certificate-configuration
                     (domains '("test.sama.re"))
                     (deploy-hook
                       (program-file
                         "nginx-deploy-hook"
                         #~(let ((pid (call-with-input-file "/var/run/nginx.pid"
                                                            read)))
                             (kill pid SIGHUP)))))))))

(cat-avatar-generator-service
  #:configuration
  (nginx-server-configuration
    (listen '("443 ssl"))
    (server-name '("test.sama.re"))
    (ssl-certificate
      "/etc/letsencrypt/live/test.sama.re/fullchain.pem")
    (ssl-certificate-key
      "/etc/letsencrypt/live/test.sama.re/privkey.pem")))
--8<---------------cut here---------------end--------------->8---

Here is the error from reconfiguring the system:

--8<---------------cut here---------------start------------->8---
# guix system reconfigure /etc/config.sm
[...]
building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.drv...
making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current system...
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc...
/var/lib/certbot/renew-certificates may need to be run
creating nginx log directory '/var/log/nginx'
creating nginx run directory '/var/run/nginx'
creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}_temp'
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf test failed
`/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricewge' -> `/etc/ssh/authorized_keys.d/bricewge'
The following derivation will be built:
   /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv

building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv...
guix system: bootloader successfully installed on '/dev/sda'
The following derivation will be built:
   /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv

building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv...
shepherd: Removing service 'dbus-system'...
shepherd: Service dbus-system has been stopped.
shepherd: Done.
shepherd: Service host-name has been started.
shepherd: Service user-homes has been started.
shepherd: Service host-name has been started.
shepherd: Service term-auto could not be started.
shepherd: Service php-fpm has been started.
guix system: warning: exception caught while executing 'start' on service 'nginx':
Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/store/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"-c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/var/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'.
guix system: warning: some services could not be upgraded
hint: To allow changes to all the system services to take effect, you will need to reboot.
--8<---------------cut here---------------end--------------->8---

What happen is Nginx won't start because the certficate related files
present in it's configuration doesn't exist and we can't get a Let's
Encrypt certificate from a HTTP-01 challenge without that web server
running.  NixOS broke that chicken and egg problem by generating a
self-signed certificate first, after that starting nginx, then
requesting a valid Lets' Encrypt certificate and finally reloading
Nginx.  That way we end up with a Nginx server using Let's Encrypt
certificate with no more that a simple system reconfiguration.  Note
that, the initial self-signed certificate will need to be at the path
were certbot will put it's own certificate.

WDYT?

¹ https://bugs.gnu.org/36389

Cheers,
- Brice
This bug report was last modified 1 year and 109 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.