From: Giovanni Biscuolo <g@xelera.eu>
To: Attila Lendvai <attila@lendvai.name>,
"62491@debbugs.gnu.org" <62491@debbugs.gnu.org>
Cc: "Ludovic Courtès" <ludovic.courtes@inria.fr>,
"Maxim Cournoyer" <maxim.cournoyer@gmail.com>
Subject: bug#62491: [berlin] certbot renewal appears to be broken
Date: Wed, 22 Nov 2023 18:37:44 +0100 [thread overview]
Message-ID: <87sf4x6653.fsf@xelera.eu> (raw)
In-Reply-To: <xUfl58WwIGDQakb2wFTlATboSCRB4-uR1eu3HS0G6Mo1IdzgYsOsA2D4YmBt_TgLWFrMlmJFi2a2yykmDNZJuUCRHoENEmnvrhWdSYC8DSA=@lendvai.name>
[-- Attachment #1: Type: text/plain, Size: 5040 bytes --]
Hello Attila,
I'm starting using certbot on a new Guix System server of mine: I've not
much experience with this Guix service but I'm using certbot on other
machines so I hope I can help here.
Attila Lendvai <attila@lendvai.name> writes:
> i don't think this is the same issue as #56678.
AFAIU actually #56678 is (was?) caused by a duplicate certbot account:
--8<---------------cut here---------------start------------->8---
Please choose an account
Choices: ['guix-hpc.bordeaux.inria.fr@2017-09-04T08:51:13Z (48c5)',
'localhost@2016-12-03T21:08:38Z (00bc)']
--8<---------------cut here---------------end--------------->8---
on bayfront, probably caused by some "manual" certbot invocation (I'm
guessing, I cannot have a look to /etc/letsenctypt)
Lodo' please: has that issue (#56678) been solved and how?
The problem on berlin (#62491) is (was) due to a failed challenge:
--8<---------------cut here---------------start------------->8---
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Hint: The
Certificate Authority failed to download the temporary challenge files created by Certbot.
Ensure that the listed domains serve their content from the provided --webroot-path/-w and
that files created there can be downloaded from the internet.
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: Failed to renew
certificate disarchive.guix.gnu.org with error: Some challenges have failed.
--8<---------------cut here---------------end--------------->8---
Maxim please: has that issue (#62491) been solved and how?
[...]
> this is the mcron that gets generated:
> [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/ --cert-name dwim.hu -d dwim.hu --email attila@lendvai.name
Did you specify a different webroot? The default one defined in
"certbot-configuration" is "/var/www".
This is my certbot service config:
--8<---------------cut here---------------start------------->8---
(service certbot-service-type
(certbot-configuration
(email "giovanni@biscuolo.net")
(certificates
(list
(certificate-configuration
(domains '("mx01.biscuolo.net")))))))
--8<---------------cut here---------------end--------------->8---
This is the certbot command that gets generated (and is scheduled in my
mcron):
--8<---------------cut here---------------start------------->8---
#!/gnu/store/x4m56h5qkim0pnvx6vgvp541mrdwdrah-guile-3.0.9/bin/guile --no-auto-compile
!#
(begin (use-modules (ice-9 match)) (let ((code 0)) (for-each (match-lambda ((name . command) (begin (format #t "Acquiring or renewing certificate: ~a~%" name) (set! code (or (apply system* command) code))))) (quote (("mx01.biscuolo.net" "/gnu/store/8vs33jaqpjkr5mzpz8syxvz2w472s5w7-certbot-2.3.0/bin/certbot" "certonly" "-n" "--agree-tos" "--webroot" "-w" "/var/www" "--cert-name" "mx01.biscuolo.net" "-d" "mx01.biscuolo.net" "--email" "giovanni@biscuolo.net")))) code))
--8<---------------cut here---------------end--------------->8---
Also, this is the "server" config for the generated nginx configuration:
--8<---------------cut here---------------start------------->8---
server {
listen 80;
listen [::]:80;
server_name mx01.biscuolo.net ;
root /srv/http;
index index.html ;
server_tokens off;
location /.well-known {
root /var/www;
}
location / {
return 301 https://$host$request_uri;
}
}
--8<---------------cut here---------------end--------------->8---
> and this what worked when i fixed the -w arg:
What was the error before you fixed the -w arg?
How was the nginx service configured?
> [...]/certbot certonly -n --agree-tos --webroot -w /srv/http/dwim.hu --cert-name dwim.hu -d dwim.hu --email attila@lendvai.name
>
> i.e. the -w parameter should point to the webroot of the virtual
> domain,
No: that webroot is the directory from which to serve the Let’s Encrypt
challenge/response files, it have nothing do do with the webroot of the
corresponding virtual domain served by *another* nginx service (or other
service using the certificate)
> but the guix config structure does not allow setting the webroot for
> each <certificate-configuration>, only at their parent, i.e. in the
> <certbot-configuration>.
AFAIU there is no need to set a certbot webroot for each certificate:
one webroot can serve all the challenge/response files needed for each
certificate, since certbot creates a unique subfolder in /.well-known
for each of them.
[...]
> from the certbot log (i.e. challenge is saved at the wrong path):
>
> "Removing /srv/http/.well-known/acme-challenge/[hash]"
Why do you say that challenge is in the wrong path?
It works that way :-)
[...]
WDYT?
Happy hacking! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
next prev parent reply other threads:[~2023-11-22 17:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 21:05 bug#62491: [berlin] certbot renewal appears to be broken Maxim Cournoyer
2023-05-04 14:37 ` bug#62491: (No Subject) Attila Lendvai
2023-11-22 17:37 ` Giovanni Biscuolo [this message]
2023-11-22 18:05 ` bug#62491: [berlin] certbot renewal appears to be broken Attila Lendvai
2023-11-23 7:23 ` Giovanni Biscuolo
2023-11-23 4:17 ` Maxim Cournoyer
2023-11-23 7:42 ` Giovanni Biscuolo
2023-11-23 8:46 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sf4x6653.fsf@xelera.eu \
--to=g@xelera.eu \
--cc=62491@debbugs.gnu.org \
--cc=attila@lendvai.name \
--cc=ludovic.courtes@inria.fr \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).