From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 27 17:06:03 2023 Received: (at submit) by debbugs.gnu.org; 27 Mar 2023 21:06:03 +0000 Received: from localhost ([127.0.0.1]:48533 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgu2T-00033h-Ds for submit@debbugs.gnu.org; Mon, 27 Mar 2023 17:06:03 -0400 Received: from lists.gnu.org ([209.51.188.17]:35922) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgu2Q-00033Y-Ii for submit@debbugs.gnu.org; Mon, 27 Mar 2023 17:06:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgu2Q-0000ST-4M; Mon, 27 Mar 2023 17:05:58 -0400 Received: from mail-qv1-xf2e.google.com ([2607:f8b0:4864:20::f2e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pgu2N-0005ej-4t; Mon, 27 Mar 2023 17:05:57 -0400 Received: by mail-qv1-xf2e.google.com with SMTP id m16so7676503qvi.12; Mon, 27 Mar 2023 14:05:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679951153; h=mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=D7SejSZ0rpsFYdFjgd1lpQ+7szKl0jlQggRSldnVgTE=; b=L6yIKI23d8j7h7oE5FS4q+bCdH0Q/BU6LSVOdoanzj1x3LHZCDSnQJUHFvoriEujmX tQx/3dCFVqmiv7C5uEseKzHhMgUZBK4SXAEtF7EJy4AFsV46KDeKEz7qk/WSOddPXL8Z aIuZRrJGofy+70fITE7LoCNEOY4CpkCQ3SM7DMoDOd7Duc3dcdHkLC3MUVTHAxW96GVa YhPBmJVfFc5vWiQgcfcy5lsVEHvmcdEMR93BDuBdZ4oKQrsa1Yz6OQ8FEMEyL6KYteeU D5SxcjV59uHsFxUdRxp5DvKAlDDchuLgDqEcQCG1u8DekKwMGBYkRiNgde4kBO+pAMPt 6wkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679951153; h=mime-version:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=D7SejSZ0rpsFYdFjgd1lpQ+7szKl0jlQggRSldnVgTE=; b=HOWF3laJZ5YMB0oNgXUSbDAHPHHpe0GA+SOxsl9Nyr7YOoTHq4kGOZFHTo9xH+gym4 E0XagRzgWbVZRYH9rrNrMO4UuJDCYHtcOkh6NoCDVuPQ0CuPKUEHC2CbaGu5nao3UZDw HyzYdXR8xxaL7lkV2VLA9bbmdDm+gZLzf80lu0blSPQy434jbzHOw1SLyZRNxd1Sga0P VIBdFLUmiNE+XB4I+ecVMMQNpe41OloIQNugJWwCEihrCPs3PaFVCgjOeG+ezBXumL+4 aTToGcNYJJEExGJmLYgFFQ6uTLvQVuDAJpjckR63EObc5dgV2Sz1F4b8bYQpi+jviwiM RaCg== X-Gm-Message-State: AAQBX9f34Ry7XnNVkxUgfS6jLB/NV8OgJ1LYrLZBqdGGY2zF15lbBMwY ziQvNdD+V1fHxVx3PV0Ocz4567iYe5k= X-Google-Smtp-Source: AKy350Y2Yah4Bzskd1rhd5O74+3Symg2KkGbJuCUq6trGXMjtotU9ES8jmo5yUHVG0Gk1sqY1X2lsw== X-Received: by 2002:a05:6214:2585:b0:5ce:6636:a45 with SMTP id fq5-20020a056214258500b005ce66360a45mr23539742qvb.25.1679951152610; Mon, 27 Mar 2023 14:05:52 -0700 (PDT) Received: from hurd (dsl-205-151-56-156.b2b2c.ca. [205.151.56.156]) by smtp.gmail.com with ESMTPSA id ec13-20020ad44e6d000000b005dd8b9345ddsm3259217qvb.117.2023.03.27.14.05.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Mar 2023 14:05:52 -0700 (PDT) From: Maxim Cournoyer To: bug-guix Subject: [berlin] certbot renewal appears to be broken Date: Mon, 27 Mar 2023 17:05:50 -0400 Message-ID: <87cz4tq501.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::f2e; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qv1-xf2e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: guix-sysadmin X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, The TLS cert of https://disarchive.guix.gnu.org/ expired today. Looking at /var/log/mcron.log on Berlin, we see that the last certbot renew job failed like so: --8<---------------cut here---------------start------------->8--- 2023-03-24 00:30:00 127768 certbot renew --webroot --webroot-path /var/www: running... 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Saving debug log to /var/log/letsencrypt/letsencrypt.log 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/bootstrappable.org.conf 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/ci.guix.gnu.org.conf 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/disarchive.guix.gnu.org.conf 2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:32:54 127768 certbot renew --webroot --webroot-path /var/www: Renewing an existing certificate for disarchive.guix.gnu.org 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Domain: disarchive.guix.gnu.org 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Detail: 141.80.181.40: Invalid response from https://disarchive.guix.gnu.org/.well-known/acme-challenge/O1kK3tsJtH0r9RwvbCIFhHagJhBwewV3Ka0NPW86nAI: 404 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew certificate disarchive.guix.gnu.org with error: Some challenges have failed. 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/dump.guix.gnu.org.conf 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/guix.gnu.org.conf 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:10 127768 certbot renew --webroot --webroot-path /var/www: Renewing an existing certificate for guix.gnu.org 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Domain: guix.gnu.org 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Detail: 2a0c:e300::58: Invalid response from https://guix.gnu.org/.well-known/acme-challenge/_PlXq5i2BRw23Ui1Yl4rLtyB2aSDnUNMZXurCWBwH-k: 404 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew certificate guix.gnu.org with error: Some challenges have failed. 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/guix.info.conf 2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:19 127768 certbot renew --webroot --webroot-path /var/www: Renewing an existing certificate for guix.info and www.guix.info 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Domain: guix.info 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Detail: 141.80.181.40: Invalid response from https://guix.gnu.org/.well-known/acme-challenge/O6y6aqSvLdjdS77MgaEhh7sN7Q75OQX3Jz69xnT4qnY: 404 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Domain: www.guix.info 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Detail: 141.80.181.40: Invalid response from https://guix.gnu.org/.well-known/acme-challenge/lCioloihdJF6xwwTBg6cSNFjRearp4EBZBWcjkznrUE: 404 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew certificate guix.info with error: Some challenges have failed. 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/issues.guix.gnu.org.conf 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/issues.guix.info.conf 2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:26 127768 certbot renew --webroot --webroot-path /var/www: Renewing an existing certificate for issues.guix.info and 3 more domains 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Domain: guix.info 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Detail: 141.80.181.40: Invalid response from https://guix.gnu.org/.well-known/acme-challenge/Yv4KpoYC95LzGsM5IPTE68vf6lLfNHVK5kMUocSuDW0: 404 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew certificate issues.guix.info with error: Some challenges have failed. 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/monitor.guix.gnu.org.conf 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: Renewing an existing certificate for monitor.guix.gnu.org 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Domain: monitor.guix.gnu.org 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Type: unauthorized 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Detail: 141.80.181.40: Invalid response from https://monitor.guix.gnu.org/.well-known/acme-challenge/_wxH92e9QQag7TEYdqsA4-C-5pE5DnUd6pzMvQWzWNU: 400 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew certificate monitor.guix.gnu.org with error: Some challenges have failed. 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/www.guixwl.org-0001.conf 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Processing /etc/letsencrypt/renewal/www.guixwl.org.conf 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Certificate not yet due for renewal 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: The following certificates are not due for renewal yet: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/bootstrappable.org/fullchain.pem expires on 2023-05-14 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/ci.guix.gnu.org/fullchain.pem expires on 2023-06-04 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/dump.guix.gnu.org/fullchain.pem expires on 2023-06-04 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/issues.guix.gnu.org/fullchain.pem expires on 2023-06-04 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/www.guixwl.org-0001/fullchain.pem expires on 2023-06-04 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/www.guixwl.org/fullchain.pem expires on 2023-06-04 (skipped) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: All renewals failed. The following certificates could not be renewed: 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/disarchive.guix.gnu.org/fullchain.pem (failure) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/guix.gnu.org/fullchain.pem (failure) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/guix.info/fullchain.pem (failure) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/issues.guix.info/fullchain.pem (failure) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: /etc/letsencrypt/live/monitor.guix.gnu.org/fullchain.pem (failure) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 5 renew failure(s), 0 parse failure(s) 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. 2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: failed after 234.635s with: (misc-error #f unclean exit status ~S (1) #f)--8<---------------cut here---------------end--------------->8--- I removed the certbot file name prefix (/gnu/store/jnp0166xw62dafd2zgxdmvjb6yq8ak32-certbot-1.28.0/bin/) in the above output to improve readability. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 28 20:42:49 2023 Received: (at control) by debbugs.gnu.org; 29 Mar 2023 00:42:49 +0000 Received: from localhost ([127.0.0.1]:50963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phJtp-0007RV-JK for submit@debbugs.gnu.org; Tue, 28 Mar 2023 20:42:49 -0400 Received: from mail-qt1-f176.google.com ([209.85.160.176]:46600) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phJtm-0007RG-OU for control@debbugs.gnu.org; Tue, 28 Mar 2023 20:42:48 -0400 Received: by mail-qt1-f176.google.com with SMTP id p2so8636384qtw.13 for ; Tue, 28 Mar 2023 17:42:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680050561; x=1682642561; h=subject:from:to:message-id:date:from:to:cc:subject:date:message-id :reply-to; bh=/3+VNlXjotoismfwld2aRAKBDCCnQHrI093U1cl/Oq0=; b=PJF5B5cG1FPUf8iTqT7EyWtZTDSb6VIjDGJw9oFsxklGSExIL/3nWgy19ra9FXahNO LfIQYrIzHm7yGjGN++c91+Vb0Zt0hrFi0xpdyIjJNmHvZL1jUmdxq1m7yM5wLP8tsFkU zVDo8wsdH1wwhr+B4R40ZWEz8G9l5u+KxMtrwfHSVjix3LJYSRBYbSgQKA/8f5LBCr5b DnS9CF5O4Itnb9f/RyDtbA6sOX0VGqpspjxNcs69n7LffZh3gC3qF4ygA/KmXFfd6CyS aiFdc7reLuQa/Vh6cmKkZ3+4wgBsXnqcmD1JBZ6QJEoO2pPHXaJp+RVTtcjGcRO3DCnT HhWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680050561; x=1682642561; h=subject:from:to:message-id:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/3+VNlXjotoismfwld2aRAKBDCCnQHrI093U1cl/Oq0=; b=iFUBTCU/oMcCXRwVR0W9V+0u9QdPP3s+rzkSsIKra9MxFkw+/tQJXTItiQHypUbZzA 7SM5moqL7rCnd6pKjmv+8xcizVOOaDJ3vDB+28ddxBODMQd2IzYbdF7gYqF8o78yESvN GlWvAsjdXxvftHdoutZWVbeAz4729LYGDM8DmlxqIJRbuI0pRevcj9WbxLHDw1jU6yyI 0V1w6KMN+Y59V9bniSbjo5YkwPIpPsKhTz3zNItbpOKp8T/uZxmqoThj0heU6abiyceJ adNuf5M11IIFFUa8DzEds/l43zXDEHafkbI5uy9LIrQPaJJV6UCJG8nKk+0PUx9ZsVAP 9+Zg== X-Gm-Message-State: AO0yUKVIq48Ohl/VZgImsIGs1MG1EgGLHyo1Ib80U/cHQx0DTJKoU5GK iU/BVcaDbJkkzt7XcevNUUBlpAT4w4ypuQ== X-Google-Smtp-Source: AK7set9AcQiAHW8k+zMKg6AfrPhbLJulnagST/fGzXVRmP2+rrq26vNcFaWP8v7Vj51lCkbJ8L9kUA== X-Received: by 2002:a05:622a:10b:b0:3db:a591:d47b with SMTP id u11-20020a05622a010b00b003dba591d47bmr30628706qtw.64.1680050560893; Tue, 28 Mar 2023 17:42:40 -0700 (PDT) Received: from hurd (dsl-205-151-56-156.b2b2c.ca. [205.151.56.156]) by smtp.gmail.com with ESMTPSA id n14-20020ac8674e000000b003d65e257f10sm7413961qtp.79.2023.03.28.17.42.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Mar 2023 17:42:40 -0700 (PDT) Date: Tue, 28 Mar 2023 20:42:39 -0400 Message-Id: <87355o75hc.fsf@gmail.com> To: control@debbugs.gnu.org From: Maxim Cournoyer Subject: control message for bug #62491 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) merge 62491 56678 quit From debbugs-submit-bounces@debbugs.gnu.org Thu May 04 10:37:46 2023 Received: (at 62491) by debbugs.gnu.org; 4 May 2023 14:37:46 +0000 Received: from localhost ([127.0.0.1]:51676 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pua5a-00034d-86 for submit@debbugs.gnu.org; Thu, 04 May 2023 10:37:46 -0400 Received: from mail-40136.proton.ch ([185.70.40.136]:13703) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pua5U-00034I-3o for 62491@debbugs.gnu.org; Thu, 04 May 2023 10:37:44 -0400 Date: Thu, 04 May 2023 14:37:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lendvai.name; s=protonmail2; t=1683211052; x=1683470252; bh=gIt7WFM03WMks3hASGjfBE7yP/ExWSFV34/HGVMdL/0=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=SGBKQTEvdcS/d3x7yXRTHcwjSm4zh0W+rNFLd0Ytr9zgwKBzAIXWtI+vNhGP4tmJf lVBz3Z3K9oK0SyNtZAXX5aSgm7AzZ4l1uK5S6UzTae2jwUXHUDCU5NAlkR1qadEdMu OaehCB1pIPyTRizpiU+S01OrKlpqso6Bp68SVGF+nIe5A/cPb4ddB6wMKo8AWsHway ID9WP6H5c37GX4YcKx2V5kzG0VC38N2m023tZVyZ5XKkJruod6RoPl+nULfhC0ZmVf 4TrV6/5JWfNCKb3RBRCiDFXeep6acgobk6lBsIQfkhtKtMm468LWrhjobDyo/KF+YU VlDCl7PszK9oQ== To: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org> From: Attila Lendvai Subject: (No Subject) Message-ID: Feedback-ID: 28384833:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: i don't think this is the same issue as #56678. or at least what i'm seeing on my server is that the wrong certbot cmd line is generated, which then results in saving the challenge at the wrong path. Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 SLIGHTLY_BAD_SUBJECT Subject contains something slightly spammy -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [185.70.40.136 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Debbugs-Envelope-To: 62491 Cc: "clement@lassieur.org" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) i don't think this is the same issue as #56678. or at least what i'm seeing on my server is that the wrong certbot cmd line= is generated, which then results in saving the challenge at the wrong path= . this is the mcron that gets generated: [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/ --cert-name d= wim.hu -d dwim.hu --email attila@lendvai.name and this what worked when i fixed the -w arg: [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/dwim.hu --cert= -name dwim.hu -d dwim.hu --email attila@lendvai.name i.e. the -w parameter should point to the webroot of the virtual domain, bu= t the guix config structure does not allow setting the webroot for each , only at their parent, i.e. in the . this all seems to me as if the certbot service code was assuming that the c= ertbot script will append the domain names (specified with -d) to the webro= ot path, but it does not. from the certbot log (i.e. challenge is saved at the wrong path): "Removing /srv/http/.well-known/acme-challenge/[hash]" the relevant code is from 2018, so certbot's behavior may very well have ch= anged since then: https://git.savannah.gnu.org/cgit/guix.git/commit/gnu/services/certbot.scm?= id=3Dc3215d2f9d8fa4b890e3a41ceb4404b76a7c5c49 it seems to me that the webroot field should be moved down into . am i right? if so i may try to patch this up. -- - attila PGP: 5D5F 45C7 DFCD 0A39 --=20 =E2=80=A2 attila lendvai =E2=80=A2 PGP: 963F 5D5F 45C7 DFCD 0A39 -- =E2=80=9CState is the name of the coldest of all cold monsters. Coldly it l= ies; and this lie slips from its mouth: "I, the state, am the people."= =E2=80=9D =09=E2=80=94 Friedrich Nietzsche (1844=E2=80=931900), 'Thus Spoke Zarathust= ra' (1885), http://j.mp/1k6pbwS From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 22 12:38:00 2023 Received: (at 62491) by debbugs.gnu.org; 22 Nov 2023 17:38:00 +0000 Received: from localhost ([127.0.0.1]:59848 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r5rAl-0001HN-MK for submit@debbugs.gnu.org; Wed, 22 Nov 2023 12:38:00 -0500 Received: from ns13.heimat.it ([46.4.214.66]:47546) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r5rAj-0001H7-7G for 62491@debbugs.gnu.org; Wed, 22 Nov 2023 12:37:58 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 51E5A30022C; Wed, 22 Nov 2023 17:37:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBt-tOMn-RKA; Wed, 22 Nov 2023 17:37:45 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id B2E01300104; Wed, 22 Nov 2023 17:37:45 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 534502BDABD0; Wed, 22 Nov 2023 18:37:45 +0100 (CET) Received: (nullmailer pid 15181 invoked by uid 1000); Wed, 22 Nov 2023 17:37:44 -0000 From: Giovanni Biscuolo To: Attila Lendvai , "62491@debbugs.gnu.org" <62491@debbugs.gnu.org> Subject: bug#62491: [berlin] certbot renewal appears to be broken In-Reply-To: Organization: Xelera.eu References: <87cz4tq501.fsf@gmail.com> Date: Wed, 22 Nov 2023 18:37:44 +0100 Message-ID: <87sf4x6653.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Attila, I'm starting using certbot on a new Guix System server of mine: I've not much experience with this Guix service but I'm using certbot on other machines so I hope I can help here. Attila Lendvai writes: > i don't think this is the same issue as #56678. AFAIU actually #56678 is (was?) caused by a duplicate certbot account: =2D-8<---------------cut here---------------start------------->8--- Please choose an account Choices: ['guix-hpc.bordeaux.inria.fr@2017-09-04T08:51:13Z (48c5)', 'localhost@2016-12-03T21:08:38Z (00bc)'] =2D-8<---------------cut here---------------end--------------->8--- on bayfront, probably caused by some "manual" certbot invocation (I'm guessing, I cannot have a look to /etc/letsenctypt) Lodo' please: has that issue (#56678) been solved and how? The problem on berlin (#62491) is (was) due to a failed challenge: =2D-8<---------------cut here---------------start------------->8--- 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:= Hint: The Certificate Authority failed to download the temporary challenge files crea= ted by Certbot. Ensure that the listed domains serve their content from the provided --webr= oot-path/-w and that files created there can be downloaded from the internet. 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:= =20 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:= Failed to renew certificate disarchive.guix.gnu.org with error: Some challenges have failed. =2D-8<---------------cut here---------------end--------------->8--- Maxim please: has that issue (#62491) been solved and how? [...] > this is the mcron that gets generated: > [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/ --cert-name= dwim.hu -d dwim.hu --email attila@lendvai.name Did you specify a different webroot? The default one defined in "certbot-configuration" is "/var/www". This is my certbot service config: =2D-8<---------------cut here---------------start------------->8--- (service certbot-service-type (certbot-configuration (email "giovanni@biscuolo.net") (certificates (list (certificate-configuration (domains '("mx01.biscuolo.net"))))))) =2D-8<---------------cut here---------------end--------------->8--- This is the certbot command that gets generated (and is scheduled in my mcron): =2D-8<---------------cut here---------------start------------->8--- #!/gnu/store/x4m56h5qkim0pnvx6vgvp541mrdwdrah-guile-3.0.9/bin/guile --no-au= to-compile !# (begin (use-modules (ice-9 match)) (let ((code 0)) (for-each (match-lambda = ((name . command) (begin (format #t "Acquiring or renewing certificate: ~a~= %" name) (set! code (or (apply system* command) code))))) (quote (("mx01.bi= scuolo.net" "/gnu/store/8vs33jaqpjkr5mzpz8syxvz2w472s5w7-certbot-2.3.0/bin/= certbot" "certonly" "-n" "--agree-tos" "--webroot" "-w" "/var/www" "--cert-= name" "mx01.biscuolo.net" "-d" "mx01.biscuolo.net" "--email" "giovanni@bisc= uolo.net")))) code)) =2D-8<---------------cut here---------------end--------------->8--- Also, this is the "server" config for the generated nginx configuration: =2D-8<---------------cut here---------------start------------->8--- server { listen 80; listen [::]:80; server_name mx01.biscuolo.net ; root /srv/http; index index.html ; server_tokens off; location /.well-known { root /var/www; } location / { return 301 https://$host$request_uri; } } =2D-8<---------------cut here---------------end--------------->8--- > and this what worked when i fixed the -w arg: What was the error before you fixed the -w arg? How was the nginx service configured? > [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/dwim.hu --ce= rt-name dwim.hu -d dwim.hu --email attila@lendvai.name > > i.e. the -w parameter should point to the webroot of the virtual > domain, No: that webroot is the directory from which to serve the Let=E2=80=99s Enc= rypt challenge/response files, it have nothing do do with the webroot of the corresponding virtual domain served by *another* nginx service (or other service using the certificate) > but the guix config structure does not allow setting the webroot for > each , only at their parent, i.e. in the > . AFAIU there is no need to set a certbot webroot for each certificate: one webroot can serve all the challenge/response files needed for each certificate, since certbot creates a unique subfolder in /.well-known for each of them. [...] > from the certbot log (i.e. challenge is saved at the wrong path): > > "Removing /srv/http/.well-known/acme-challenge/[hash]" Why do you say that challenge is in the wrong path? It works that way :-) [...] WDYT? Happy hacking! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmVePGgMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSgp4P/RUROCBqxGlPqo2qiNRrZ7dLgNzxcKj3Mo9y9htI WcHInP5QDGL36slGYu/+3Bpo56WK+pRY5IXHwlWTlRZOimyOWoFhZGQ32OnamoFB PUglZvmVtvUPkY0jPALd0oiX9VcO7R7+vUi8JYmpMNhn1XKdQpYyNi3yac6mGj02 87e0ZXW9YnAvRy3PuqEih6+V/OyCysPh8VX80M7GqCgiVuEbqDEFbpmUVRM6TyOh 5zuFLlf66zfXUVg2JbGMt/kcCCpSERF453dYZDyClY/YkSjwHC7Spg82A7OZ1t8O o25PZalYw7LvkSk20SrhdavC2jWQsQu0O1F1NAAVzzqyCNd8F76g6j0CdzKPKLYh meSFy9S7fRVVrV6szjJPPJPT0kA3ggBtAO7wuGyNAo3gPEGF6cCuybSI7UjhJdxj yaU3+xeunlbc8EzpN+WFlYVb6zvOYIxPXKhBfxtxsMHd3I6z0YKr36kS0Z03Z9mP e/KRojJD5BJmZlJiQE2erZh9o1EfU4TSvlljcBI9ZVQM7AQqwlv2DCADiQO4Vmby 064eRJu6lOWCccxa0H5wLymZVbAg9rJ1ti0M5BOsJj9u8oGH9t2y/sa4ChB7pJxi KMS/t9CDUx75NIcDhSg50lrH9uQs27+o9ExDQBe1DqrIfOgLHX5iLzXQ389SjrXn IGfL =7aif -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 22 13:06:06 2023 Received: (at 62491) by debbugs.gnu.org; 22 Nov 2023 18:06:07 +0000 Received: from localhost ([127.0.0.1]:59870 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r5rby-00024v-LV for submit@debbugs.gnu.org; Wed, 22 Nov 2023 13:06:06 -0500 Received: from mail-4022.proton.ch ([185.70.40.22]:24611) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r5rbt-00024L-Sn for 62491@debbugs.gnu.org; Wed, 22 Nov 2023 13:06:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lendvai.name; s=protonmail3; t=1700676350; x=1700935550; bh=XPnhrA0imFqMqYhznoDU7pasYejWloxJ6I7E0FfR2+A=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=dY0gsFz8GDkjpyw7ow7rimWEnd4gzeuQjgHcY28ak0ryDZQt7ykZcKkwJ09u1xKsk 5lomgGqp/oskONJotkJ682JLiAoQYyENJ5dyzRh8M1hOfZix0mirow9Hcq5sHcG/Sg dk1cRUd9GW5Wg2dbpfF815hJ4Ctmzrg7UrPaFnXsQDbBhwSot0c5CwscdkM5wN+jYF 32azvBiU1CZeCVAQwqQ4ZJiB+Nd6HUTQ87vgFrxCqSbpI7RSGBpND4pbtcYojcqyjj GRNcS0RWHRhfNWCCJZ5k/IEuwKKZUp1yzFp+MxsEtKTQeFf7nxrKiQNeLYeJJa+rY+ 7OUvFdPghCOTQ== Date: Wed, 22 Nov 2023 18:05:44 +0000 To: Giovanni Biscuolo From: Attila Lendvai Subject: Re: bug#62491: [berlin] certbot renewal appears to be broken Message-ID: In-Reply-To: <87sf4x6653.fsf@xelera.eu> References: <87cz4tq501.fsf@gmail.com> <87sf4x6653.fsf@xelera.eu> Feedback-ID: 28384833:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>, =?utf-8?Q?Ludovic_Court=C3=A8s?= , Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) hi Giovanni, it's been a long time, i don't remember much anymore. but let's run a quick assert: my server is serving multiple virtual domains (dwim.hu and lendvai.name) fr= om completely different webroot directories. that's why i assumed that cert= bot needs to generate two different certificates for the two domains, and t= hen be able to download them by accessing the same ip address through two s= eparate domain names, and nginx serving the certificates corresponding to t= he domain name in the request. did you write your answer with this in mind? if yes, then i'll need to get back in context to answer properly. --=20 =E2=80=A2 attila lendvai =E2=80=A2 PGP: 963F 5D5F 45C7 DFCD 0A39 -- =E2=80=9CNot to discuss with a man worthy of conversation is to waste the m= an. To discuss with a man not worthy of conversation is to waste words. The= wise waste neither men nor words.=E2=80=9D =09=E2=80=94 Confucius (551=E2=80=93479 BC), 'The Analects' From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 22 23:17:51 2023 Received: (at 62491) by debbugs.gnu.org; 23 Nov 2023 04:17:52 +0000 Received: from localhost ([127.0.0.1]:60322 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r619z-00051a-DY for submit@debbugs.gnu.org; Wed, 22 Nov 2023 23:17:51 -0500 Received: from mail-qk1-x72d.google.com ([2607:f8b0:4864:20::72d]:53347) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r619w-00051M-QC for 62491@debbugs.gnu.org; Wed, 22 Nov 2023 23:17:50 -0500 Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-778999c5ecfso23833485a.2 for <62491@debbugs.gnu.org>; Wed, 22 Nov 2023 20:17:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700713059; x=1701317859; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=hc3dSbjjqYAcRLE0tYs+zumi+3FWD86aPUn2Nkd1muU=; b=CqFORko0D3INTbcaSNVvDixCm+KqXoBPKUMCOmXBQIpGBpuRgjiMtj4mWr3h6dce82 +G1atYfmkHF3epIj1FtRXp1lmp6LQbH+vLcDZUS0ffgksMd2fgIZVuuUGy7V4TqtcGfc 6BN+bkiWdM+wlnGRpR2FX8RIIH0g3jkgI6NrY0ep88r5bXTW7QSteH4KuUs+1vB/V33v 617V0au1M8IDGpD3LPBY0BQ85DqOvDbrXDB8n/sSKQy9SH7zNZr4BsvsuLI+/Op3Er/6 1CkLKBZihmcxrz3+DGDK0Zh5hJTkzj146LHkZ56e5XGrZAp/u2RwmXlEfaZu2c3Sxj44 HNgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700713059; x=1701317859; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hc3dSbjjqYAcRLE0tYs+zumi+3FWD86aPUn2Nkd1muU=; b=jzlmYl2C0hdGmgwuAwmR9fo3SGte4l8OjtlfE40+nU6ZoK1LyZKbUJgyxQ9B2VNTnz m33cEudapQdjps8D1gtY7EGT5RoLspFR53JDnehemCYtjq+v8uVDVqNT81dAGS7wOMNW oEj48RGXACS1ti/8paQdlCaCJqMenaFDayVzNDBMc52bZEfspUkDfrUehgqXWBeij+7o J6t/dBB5p0mYIu2kMrTIgr9xVbcioE7Cobxhtdsr/w1jqooMPEgilWKQETohYZjlkyAa ppvqGOASkmkw/Chq2XjeZiA07GtsV6H1ZHNIp4BjaRCLPVc22A03U71tRLuCnQ2zVUMz tlSw== X-Gm-Message-State: AOJu0Yyigbq2pFTih8hu/I7onsZEbb34bWzBVJfHKe6WNl0vGxtj4si4 vI7fc3A4MErzZsKlqIr4o0c= X-Google-Smtp-Source: AGHT+IEh/gluqdvrlN8XD0FsqgV+UGWnJ83NmZv1yIdHRZpMX1XF2euXiha32F/JLM6l2SQibW9exA== X-Received: by 2002:ad4:5c8b:0:b0:679:f504:ac28 with SMTP id o11-20020ad45c8b000000b00679f504ac28mr4776452qvh.53.1700713059322; Wed, 22 Nov 2023 20:17:39 -0800 (PST) Received: from hurd (dsl-205-233-124-102.b2b2c.ca. [205.233.124.102]) by smtp.gmail.com with ESMTPSA id ff18-20020a0562140bd200b00679df43b715sm109793qvb.127.2023.11.22.20.17.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 20:17:38 -0800 (PST) From: Maxim Cournoyer To: Giovanni Biscuolo Subject: Re: bug#62491: [berlin] certbot renewal appears to be broken In-Reply-To: <87sf4x6653.fsf@xelera.eu> (Giovanni Biscuolo's message of "Wed, 22 Nov 2023 18:37:44 +0100") References: <87cz4tq501.fsf@gmail.com> <87sf4x6653.fsf@xelera.eu> Date: Wed, 22 Nov 2023 23:17:36 -0500 Message-ID: <87msv585nj.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>, Attila Lendvai , Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Giovanni, Giovanni Biscuolo writes: > Hello Attila, > > I'm starting using certbot on a new Guix System server of mine: I've not > much experience with this Guix service but I'm using certbot on other > machines so I hope I can help here. > > Attila Lendvai writes: > >> i don't think this is the same issue as #56678. > > AFAIU actually #56678 is (was?) caused by a duplicate certbot account: > > > Please choose an account > Choices: ['guix-hpc.bordeaux.inria.fr@2017-09-04T08:51:13Z (48c5)', > 'localhost@2016-12-03T21:08:38Z (00bc)'] > > > on bayfront, probably caused by some "manual" certbot invocation (I'm > guessing, I cannot have a look to /etc/letsenctypt) > > Lodo' please: has that issue (#56678) been solved and how? > > The problem on berlin (#62491) is (was) due to a failed challenge: > > > 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Hint: The > Certificate Authority failed to download the temporary challenge files created by Certbot. > Ensure that the listed domains serve their content from the provided --webroot-path/-w and > that files created there can be downloaded from the internet. > 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: > 2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew > certificate disarchive.guix.gnu.org with error: Some challenges have failed. > > > Maxim please: has that issue (#62491) been solved and how? I don't think it was truly resolved. The problem keeps coming and someone (usually Ludovic) has to manually run some commands get it to cooperate (IIUC). I've never investigated certbot nor configured such a setup myself, so I'm not knowledgeable about it. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 23 02:23:59 2023 Received: (at 62491) by debbugs.gnu.org; 23 Nov 2023 07:23:59 +0000 Received: from localhost ([127.0.0.1]:60496 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r6447-0006jD-01 for submit@debbugs.gnu.org; Thu, 23 Nov 2023 02:23:59 -0500 Received: from ns13.heimat.it ([46.4.214.66]:53744) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r6444-0006iy-3Q for 62491@debbugs.gnu.org; Thu, 23 Nov 2023 02:23:56 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id BFCAB30022C; Thu, 23 Nov 2023 07:23:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xf9ctu6G7E61; Thu, 23 Nov 2023 07:23:44 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 415E2300104; Thu, 23 Nov 2023 07:23:44 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 9A1A72BDF6E6; Thu, 23 Nov 2023 08:23:43 +0100 (CET) Received: (nullmailer pid 7471 invoked by uid 1000); Thu, 23 Nov 2023 07:23:43 -0000 From: Giovanni Biscuolo To: Attila Lendvai Subject: Re: bug#62491: [berlin] certbot renewal appears to be broken In-Reply-To: Organization: Xelera.eu References: <87cz4tq501.fsf@gmail.com> <87sf4x6653.fsf@xelera.eu> Date: Thu, 23 Nov 2023 08:23:42 +0100 Message-ID: <87pm0153wh.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>, Ludovic =?utf-8?Q?Cou?= =?utf-8?Q?rt=C3=A8s?= , Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Attila, Attila Lendvai writes: [...] > if yes, then i'll need to get back in context to answer properly. In this thread I'd like to understand what is (was?) the real nature of the bugs described, I'm just trying to collect more information I feel we should discuss how the certbot service works in a different thread, to stay focused on the bug report If you need further discussion, please feel free to open a new thread on guix-devel and Cc: me! :-) Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmVe/f8MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSavcP/1QUxvHcdLv0KhAled+68zp42CBx9tFFCel/PSOw kdxRNM4Un5hEk7CQPoULvJfhQr9yk5teFl6KxA0T5BnRTfYXTQ4ShuhGvl67Jf9a w2F1KMPiNntEiM58qy9zlv8V4zudXgXGLR3870KMnyg2tCwDfJ807goKO3uzfwBs Ys3qCrCZlTlZwAbtuHOGCWMS/IyXLzIbaRD+Tu98S2Mu7xiPbjybGBf8TY56MpWZ YJm7rCTrKrL2QbCshXhWZMRPhz2qGvv63YlsN5G0suyYu39d9GLcofVeMRBm42TY 9sZlfd/BEiW+MyNNSLRY0dYLQcwsVts+K2rQt2ga+mi5Yt3op8ZAVcLYSyKUHDKc ekNq3af/EltpBdMHV15kjpxtz1ysWsTIvCaePnWFXQ9hTICmzfXv5DCSQ+/MSwZN CAJuOVfKIzTi23xTqe1q4VrD+QOHChu4St5xpTpPMxzBiYx5JxePcwr3Edz5MR46 1dPrVUVM64/oyeS1P+FAp1Bj2D8GX8LFfrb6W6uTanVfZrDleOk9nUZ+5NHzwUsv KiUHpzASoZygsSV9608Yvfn7vW5+twSI34mPx/cpk9EmTLS2Hl0pvKliWSJREZXd d0iIOmO+j9SLoLR9545RX9g+OlURVHKvJn7YV9GenVLWNsKJvSQxT3FA456IYaHK no7C =u0sh -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 23 02:42:47 2023 Received: (at 62491) by debbugs.gnu.org; 23 Nov 2023 07:42:47 +0000 Received: from localhost ([127.0.0.1]:60513 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r64MJ-0007DS-5A for submit@debbugs.gnu.org; Thu, 23 Nov 2023 02:42:47 -0500 Received: from ns13.heimat.it ([46.4.214.66]:53924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r64MG-0007DA-Qe for 62491@debbugs.gnu.org; Thu, 23 Nov 2023 02:42:46 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id E4C4E30022C; Thu, 23 Nov 2023 07:42:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMU-xyAMOGMb; Thu, 23 Nov 2023 07:42:33 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 83BCD300104; Thu, 23 Nov 2023 07:42:33 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 07C832BDF89F; Thu, 23 Nov 2023 08:42:32 +0100 (CET) Received: (nullmailer pid 8054 invoked by uid 1000); Thu, 23 Nov 2023 07:42:31 -0000 From: Giovanni Biscuolo To: Maxim Cournoyer Subject: Re: bug#62491: [berlin] certbot renewal appears to be broken In-Reply-To: <87msv585nj.fsf@gmail.com> Organization: Xelera.eu References: <87cz4tq501.fsf@gmail.com> <87sf4x6653.fsf@xelera.eu> <87msv585nj.fsf@gmail.com> Date: Thu, 23 Nov 2023 08:42:31 +0100 Message-ID: <87msv46hlk.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>, Ludovic =?utf-8?Q?Cou?= =?utf-8?Q?rt=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Maxim, thank you for your feedback. Maxim Cournoyer writes: [...] >> AFAIU actually #56678 is (was?) caused by a duplicate certbot account: [...] >> The problem on berlin (#62491) is (was) due to a failed challenge: I'm almost sure those are different bugs and I'm almost sure the bugs are caused by _state_ (/etc/letsencrypt/[accounts|renewal]) [...] > I don't think it was truly resolved. The problem keeps coming and > someone (usually Ludovic) has to manually run some commands get it to > cooperate (IIUC). Bugs like this are very difficult to reproduce and to investigate if we wait the certs expiration and are forced to find a quick "workaround"; we should force a renewal (via CLI) before the expiration date and share the logs to see what's happening. I'd like to help but I'm not a sysadmin on bayfront nor on berlin. I think this kind "statefulness issues" are affecting other users. Happy hacking! Gio' [...] =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmVfAmcMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSzHAP/0JouWJlRwZEX83kz4JSFw3M9kP1qY+rKirg5eyb ZnJ32QccLdSjGd4V7xDppXJT+CFacfUZXj6hB1bcaZ/Qn57YFTKC5zgpE+B8bjVe 7xRBgCEaZw0aiHP1u/EHDQ6gySxib8UsO1TX/O7Gddg/LD9g3bxHGqaFk4GhaK3x QusIdVsxMjuWl51Cn4ExpCUgCNLcmhoZa+ZUcjkHQNcH6++U1t1l1771UQWVWCrF uO5tsClptYlO97KGV5oBNP4b/RGy7vuyeT987tR+uFk7ExWRar8ICc3OUugSIxPj tb2M7McJvgT55uyIM0Pe2QdSjqWk+BKKm0UGoLiBwYqLLzRjlSDLdfA7SYgRT1TX DY9C4SlWidc0az5bhsksZqwAbADXGR2pLAU8dL1aCD+wC+BdQhLvqwT2cA76iSBQ iHeggv75zm2yZox2S8vDh+nn6EaNgFO5RAQjHlJ72O9O4XkQH1h6JLuLEqAFZsi4 Q5hPSTZilwixC/HyEvpcXGOUHAZl3VK/X67Ccw8xwrC7dpWNm8ul4bp85XH3qo98 ygbs972njGimO1mHz/1MHuXfQHHyGrKWEOKn72ZgGC/bMmLUTsfsBo4+m95R7pWO kRoYe3Skj1WJfl5kc9UFDedLy/8wz47NBGsc+3PxjEJdUhBg6Ts8/p2AN3HO4zl6 g1Dn =EhxT -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 23 03:47:10 2023 Received: (at 62491) by debbugs.gnu.org; 23 Nov 2023 08:47:11 +0000 Received: from localhost ([127.0.0.1]:60585 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r65Mc-0000XM-Hs for submit@debbugs.gnu.org; Thu, 23 Nov 2023 03:47:10 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:17133) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r65MZ-0000Wt-P8 for 62491@debbugs.gnu.org; Thu, 23 Nov 2023 03:47:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=VpJiLWManOczu6L02Ci78uZpO0tWO/y/kBDnCv+Htok=; b=HTQ5j7/oTxUmRROHHZbxOyZtzKgCoSz0rpJgtcnISgUjrd009W2YPRRb mtd4hlbXN7wPrkl+uPBcbtcxDMUQXjSshCnLbC3n4vPsQn6rb1+xJWYdZ +VGBrughcSSCGW2JqpdQ7ZfyxFVGJZW5ARBFZEoK/7B7ryUCbwlM7IYbm w=; Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.04,221,1695679200"; d="scan'208";a="72335623" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Nov 2023 09:46:57 +0100 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Giovanni Biscuolo Subject: Re: bug#62491: [berlin] certbot renewal appears to be broken In-Reply-To: <87msv46hlk.fsf@xelera.eu> (Giovanni Biscuolo's message of "Thu, 23 Nov 2023 08:42:31 +0100") References: <87cz4tq501.fsf@gmail.com> <87sf4x6653.fsf@xelera.eu> <87msv585nj.fsf@gmail.com> <87msv46hlk.fsf@xelera.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Tridi 3 Frimaire an 232 de la =?utf-8?Q?R=C3=A9volut?= =?utf-8?Q?ion=2C?= jour de la =?utf-8?Q?Chicor=C3=A9e?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 23 Nov 2023 09:46:56 +0100 Message-ID: <87o7fkg8lb.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 62491 Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>, Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Giovanni Biscuolo skribis: > Maxim Cournoyer writes: > > [...] > >>> AFAIU actually #56678 is (was?) caused by a duplicate certbot account: > > [...] > >>> The problem on berlin (#62491) is (was) due to a failed challenge: > > I'm almost sure those are different bugs and I'm almost sure the bugs > are caused by _state_ (/etc/letsencrypt/[accounts|renewal]) Indeed, that=E2=80=99s part of the problem. Another example: our cerbot service offers a =E2=80=98deploy-hook=E2=80=99,= but the /gnu/store/=E2=80=A6 file name of that hook gets recorded somewhere in /etc/letsencrypt and thus becomes invalid once the hook has been GC=E2=80= =99d or the system has been reconfigured. >> I don't think it was truly resolved. The problem keeps coming and >> someone (usually Ludovic) has to manually run some commands get it to >> cooperate (IIUC). > > Bugs like this are very difficult to reproduce and to investigate if we > wait the certs expiration and are forced to find a quick "workaround"; > we should force a renewal (via CLI) before the expiration date and share > the logs to see what's happening. > > I'd like to help but I'm not a sysadmin on bayfront nor on berlin. > > I think this kind "statefulness issues" are affecting other users. Yeah, I think anyone running a web server on Guix System gets hit by this issue. I=E2=80=99m not super knowledgeable about certbot either so I = tend to just hack around to get things to work, which is not great. Ludo=E2=80=99.