From: "Ludovic Courtès" <ludovic.courtes@inria.fr>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: "62491@debbugs.gnu.org" <62491@debbugs.gnu.org>,
Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: bug#62491: [berlin] certbot renewal appears to be broken
Date: Thu, 23 Nov 2023 09:46:56 +0100 [thread overview]
Message-ID: <87o7fkg8lb.fsf@inria.fr> (raw)
In-Reply-To: <87msv46hlk.fsf@xelera.eu> (Giovanni Biscuolo's message of "Thu, 23 Nov 2023 08:42:31 +0100")
Hi,
Giovanni Biscuolo <g@xelera.eu> skribis:
> Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>
> [...]
>
>>> AFAIU actually #56678 is (was?) caused by a duplicate certbot account:
>
> [...]
>
>>> The problem on berlin (#62491) is (was) due to a failed challenge:
>
> I'm almost sure those are different bugs and I'm almost sure the bugs
> are caused by _state_ (/etc/letsencrypt/[accounts|renewal])
Indeed, that’s part of the problem.
Another example: our cerbot service offers a ‘deploy-hook’, but the
/gnu/store/… file name of that hook gets recorded somewhere in
/etc/letsencrypt and thus becomes invalid once the hook has been GC’d or
the system has been reconfigured.
>> I don't think it was truly resolved. The problem keeps coming and
>> someone (usually Ludovic) has to manually run some commands get it to
>> cooperate (IIUC).
>
> Bugs like this are very difficult to reproduce and to investigate if we
> wait the certs expiration and are forced to find a quick "workaround";
> we should force a renewal (via CLI) before the expiration date and share
> the logs to see what's happening.
>
> I'd like to help but I'm not a sysadmin on bayfront nor on berlin.
>
> I think this kind "statefulness issues" are affecting other users.
Yeah, I think anyone running a web server on Guix System gets hit by
this issue. I’m not super knowledgeable about certbot either so I tend
to just hack around to get things to work, which is not great.
Ludo’.
prev parent reply other threads:[~2023-11-23 9:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 21:05 bug#62491: [berlin] certbot renewal appears to be broken Maxim Cournoyer
2023-05-04 14:37 ` bug#62491: (No Subject) Attila Lendvai
2023-11-22 17:37 ` bug#62491: [berlin] certbot renewal appears to be broken Giovanni Biscuolo
2023-11-22 18:05 ` Attila Lendvai
2023-11-23 7:23 ` Giovanni Biscuolo
2023-11-23 4:17 ` Maxim Cournoyer
2023-11-23 7:42 ` Giovanni Biscuolo
2023-11-23 8:46 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7fkg8lb.fsf@inria.fr \
--to=ludovic.courtes@inria.fr \
--cc=62491@debbugs.gnu.org \
--cc=g@xelera.eu \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.