GNU bug report logs -
#62491
[berlin] certbot renewal appears to be broken
Previous Next
Full log
Message #28 received at 62491 <at> debbugs.gnu.org (full text, mbox):
Hi,
Giovanni Biscuolo <g <at> xelera.eu> skribis:
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
>
> [...]
>
>>> AFAIU actually #56678 is (was?) caused by a duplicate certbot account:
>
> [...]
>
>>> The problem on berlin (#62491) is (was) due to a failed challenge:
>
> I'm almost sure those are different bugs and I'm almost sure the bugs
> are caused by _state_ (/etc/letsencrypt/[accounts|renewal])
Indeed, that’s part of the problem.
Another example: our cerbot service offers a ‘deploy-hook’, but the
/gnu/store/… file name of that hook gets recorded somewhere in
/etc/letsencrypt and thus becomes invalid once the hook has been GC’d or
the system has been reconfigured.
>> I don't think it was truly resolved. The problem keeps coming and
>> someone (usually Ludovic) has to manually run some commands get it to
>> cooperate (IIUC).
>
> Bugs like this are very difficult to reproduce and to investigate if we
> wait the certs expiration and are forced to find a quick "workaround";
> we should force a renewal (via CLI) before the expiration date and share
> the logs to see what's happening.
>
> I'd like to help but I'm not a sysadmin on bayfront nor on berlin.
>
> I think this kind "statefulness issues" are affecting other users.
Yeah, I think anyone running a web server on Guix System gets hit by
this issue. I’m not super knowledgeable about certbot either so I tend
to just hack around to get things to work, which is not great.
Ludo’.
This bug report was last modified 1 year and 203 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.