From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 5y4sCifJNWFsQAEAgWs5BA (envelope-from ) for ; Mon, 06 Sep 2021 09:54:15 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iD5DBSfJNWHHQAAAB5/wlQ (envelope-from ) for ; Mon, 06 Sep 2021 07:54:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7B62BC0F1 for ; Mon, 6 Sep 2021 09:54:14 +0200 (CEST) Received: from localhost ([::1]:41450 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mN9SH-0001sy-Fk for larch@yhetil.org; Mon, 06 Sep 2021 03:54:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39468) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mN9S6-0001r5-Gp for bug-guix@gnu.org; Mon, 06 Sep 2021 03:54:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40040) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mN9S6-0003eg-8U for bug-guix@gnu.org; Mon, 06 Sep 2021 03:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mN9S6-0001dj-7K for bug-guix@gnu.org; Mon, 06 Sep 2021 03:54:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#50423: =?UTF-8?Q?=E2=80=98certbot-configuration-deploy-hook=E2=80=99?= is stateful Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 06 Sep 2021 07:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 50423 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 50423@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16309148156262 (code B ref -1); Mon, 06 Sep 2021 07:54:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Sep 2021 07:53:35 +0000 Received: from localhost ([127.0.0.1]:51586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mN9Rf-0001cv-Hw for submit@debbugs.gnu.org; Mon, 06 Sep 2021 03:53:35 -0400 Received: from lists.gnu.org ([209.51.188.17]:43736) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mN9Re-0001cn-52 for submit@debbugs.gnu.org; Mon, 06 Sep 2021 03:53:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39354) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mN9Rd-00017o-Pq for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58672) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mN9Rc-0003Eo-IP for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:32 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=47184 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mN9Rc-0001Lw-9k for bug-guix@gnu.org; Mon, 06 Sep 2021 03:53:32 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 Fructidor an 229 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 06 Sep 2021 09:53:30 +0200 Message-ID: <871r62b0n9.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630914854; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/0eO3ZFx/9pc6vxWzvjd0p7wvAbn9SMM1L28uQfRbGY=; b=dFLYj4Rxf63GHANn0RrBfACdL1R+aq/pbhY7kSnmcHTk2SJr8vAFWhXA4t6VBVj0MD4vqt BIyR5X9vsSGVWTTLxBz1BwE3DSyr35ueVFaVrxvbfTem4EtLRA/AvQ7aTZ7LaCYsGRV0is zlk706eXGbbdaOgatmgY86uUPk13//zm/rB9IDCAmMLXr+eSP7pLyiuPgnKCpTKeH8eR6f c6jf5DQAasZc7bkdmQbrtma3nE86EmtGecK3k+aYH+FbS5VqLggBx6CwQqHrKLVmXip2ke ghRgvBCywF5IzdQJtXnZnn0Y42lBMdBd1BIluZLbgu/7J+Yr09J2Rx2hZnT+gA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630914854; a=rsa-sha256; cv=none; b=pFLwbZos45zp0OHjUMuujUtWk44ZBtvq0W5Fz/PX6KiOf0niRp4AAf7TKVMA0xhnti/S4n yYIj4Q55N4UiTqU/ue8Mye2a4+T1cAvl9VlPeEQpH1QRzcc7CsAOKoe8SFEOWV04qJ7S/h HnAQtSk+OYq7g70E88RCd9dSEVpK5z/YXTEzqM4GRHk+QB0aoZlmkzOTeiHcRMZfYjJ1bA uiGTWSbDaVHlzL00VTES8TBrpp+f9YZ9Tor9Fxdp4xTRHm8qKXqRgPG7i8qsHFodnRM/FD FIf6PGkyHvpQt4vtMvUHD71/KtiEm5qVDpDrhdZ2sexFVLrX79Znd9qYTpcHQw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.91 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 7B62BC0F1 X-Spam-Score: -2.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: iSeJM+14Qtxl Hi, I use certbot =E2=80=9Cdeploy hooks=E2=80=9D like this (excerpt from =E2=80=98hydra/bayfront.scm=E2=80=99 in guix/maintenance.git): --8<---------------cut here---------------start------------->8--- (define %nginx-deploy-hook ;; Hook that restarts nginx when a new certificate is deployed. (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (define %certbot-configuration (certbot-configuration (webroot "/var/www") (email "ludovic.courtes@inria.fr") (certificates (list (certificate-configuration (domains '("bayfront.guix.gnu.org" "logs.guix.gnu.org" "bayfront.guix.info" "hpc.guix.info" "guix-hpc.bordeaux.inria.fr" "coordinator.bayfront.guix.gnu.org")) (deploy-hook %nginx-deploy-hook)))))) --8<---------------cut here---------------end--------------->8--- The problem is that cerbot records the deploy hook file name once for all: --8<---------------cut here---------------start------------->8--- ludo@bayfront ~$ sudo grep -r ryb6000fbb4lyb4ad294srkj4x8m821w /etc/letsenc= rypt/ Password: /etc/letsencrypt/renewal/hpc.guix.info.conf:renew_hook =3D /gnu/store/ryb60= 00fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook /etc/letsencrypt/renewal/guix-hpc.bordeaux.inria.fr.conf:renew_hook =3D /gn= u/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook --8<---------------cut here---------------end--------------->8--- After GC, the certbot config ends up pointing to a non-existing hook: --8<---------------cut here---------------start------------->8--- ludo@bayfront ~$ sudo certbot renew [...] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -= - - Processing /etc/letsencrypt/renewal/hpc.guix.info.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -= - - Renewing an existing certificate for hpc.guix.info Hook 'deploy-hook' reported error code 127 Hook 'deploy-hook' ran with error output: /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/sh: /g= nu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook: No such file o= r directory --8<---------------cut here---------------end--------------->8--- Most likely, the only solution would be to populate a fixed directory name, say /etc/nginx/hooks/deploy, such that certbot configuration remains valid. Thoughts? Ludo=E2=80=99.