From unknown Sat Jul 26 16:37:46 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#50423 <50423@debbugs.gnu.org> To: bug#50423 <50423@debbugs.gnu.org> Subject: Status: =?UTF-8?Q?=E2=80=98certbot-configuration-deploy-hook=E2=80=99?= is stateful Reply-To: bug#50423 <50423@debbugs.gnu.org> Date: Sat, 26 Jul 2025 23:37:46 +0000 retitle 50423 =E2=80=98certbot-configuration-deploy-hook=E2=80=99 is statef= ul reassign 50423 guix submitter 50423 Ludovic Court=C3=A8s severity 50423 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 06 03:53:35 2021 Received: (at submit) by debbugs.gnu.org; 6 Sep 2021 07:53:35 +0000 Received: from localhost ([127.0.0.1]:51586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mN9Rf-0001cv-Hw for submit@debbugs.gnu.org; Mon, 06 Sep 2021 03:53:35 -0400 Received: from lists.gnu.org ([209.51.188.17]:43736) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mN9Re-0001cn-52 for submit@debbugs.gnu.org; Mon, 06 Sep 2021 03:53:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39354) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mN9Rd-00017o-Pq for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58672) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mN9Rc-0003Eo-IP for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:32 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=47184 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mN9Rc-0001Lw-9k for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:32 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: =?utf-8?Q?=E2=80=98certbot-configuration-deploy-hook=E2=80=99?= is stateful X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 Fructidor an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 06 Sep 2021 09:53:30 +0200 Message-ID: <871r62b0n9.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, I use certbot =E2=80=9Cdeploy hooks=E2=80=9D like this (excerpt from =E2=80=98hydra/bayfront.scm=E2=80=99 in guix/maintenance.git): --8<---------------cut here---------------start------------->8--- (define %nginx-deploy-hook ;; Hook that restarts nginx when a new certificate is deployed. (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (define %certbot-configuration (certbot-configuration (webroot "/var/www") (email "ludovic.courtes@inria.fr") (certificates (list (certificate-configuration (domains '("bayfront.guix.gnu.org" "logs.guix.gnu.org" "bayfront.guix.info" "hpc.guix.info" "guix-hpc.bordeaux.inria.fr" "coordinator.bayfront.guix.gnu.org")) (deploy-hook %nginx-deploy-hook)))))) --8<---------------cut here---------------end--------------->8--- The problem is that cerbot records the deploy hook file name once for all: --8<---------------cut here---------------start------------->8--- ludo@bayfront ~$ sudo grep -r ryb6000fbb4lyb4ad294srkj4x8m821w /etc/letsenc= rypt/ Password: /etc/letsencrypt/renewal/hpc.guix.info.conf:renew_hook =3D /gnu/store/ryb60= 00fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook /etc/letsencrypt/renewal/guix-hpc.bordeaux.inria.fr.conf:renew_hook =3D /gn= u/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook --8<---------------cut here---------------end--------------->8--- After GC, the certbot config ends up pointing to a non-existing hook: --8<---------------cut here---------------start------------->8--- ludo@bayfront ~$ sudo certbot renew [...] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -= - - Processing /etc/letsencrypt/renewal/hpc.guix.info.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -= - - Renewing an existing certificate for hpc.guix.info Hook 'deploy-hook' reported error code 127 Hook 'deploy-hook' ran with error output: /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/sh: /g= nu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook: No such file o= r directory --8<---------------cut here---------------end--------------->8--- Most likely, the only solution would be to populate a fixed directory name, say /etc/nginx/hooks/deploy, such that certbot configuration remains valid. Thoughts? Ludo=E2=80=99.