From: "Clément Lassieur" <clement@lassieur.org>
To: Carlo Zancanaro <carlo@zancanaro.id.au>
Cc: brice@waegenei.re, 46961@debbugs.gnu.org
Subject: bug#46961: Nginx and certbot cervices don't play well togther
Date: Wed, 31 Jan 2024 01:55:56 +0100 [thread overview]
Message-ID: <87zfwms4mb.fsf_-_@lassieur.org> (raw)
In-Reply-To: <dacd6d008673b6eaf957211ff4ad41256be533b1.1706621200.git.carlo@zancanaro.id.au> (Carlo Zancanaro's message of "Tue, 30 Jan 2024 13:26:40 +0000")
Removing guix-devel.
On Tue, Jan 30 2024, Carlo Zancanaro wrote:
> + (define (file-contains? file string)
> + (string-contains (call-with-input-file file
> + get-string-all)
> + string))
> +
> + (define (connection-error?)
> + (file-contains? "/var/log/letsencrypt/letsencrypt.log"
> + "Failed to establish a new connection"))
> +
> + (let ((script-code 0))
> (for-each
> (match-lambda
> ((name . command)
> (begin
> (format #t "Acquiring or renewing certificate: ~a~%" name)
Here we could add ‘(force-output)’, because otherwise those logs arrive
after the certbot logs, and it's hard to understand anything.
> - (set! code (or (apply system* command) code)))))
> - '#$commands) code)))))))
> + (unless (zero? (status:exit-val (apply system* command)))
> + ;; Certbot errors are always exit code 1, but we'd like
> + ;; to separate connection errors from other error types.
> + (if (connection-error?)
> + ;; If we have a connection error, then bail early
> + ;; with exit code 2. We don't expect this to
> + ;; resolve within the timespan of this script.
Could we have a (log + force-output) here too? (I imagine within a
‘begin’)
> + (exit 2)
> + ;; If we have any other type of error, then continue
> + ;; but exit with a failing status code in the end.
and here?
> + (set! script-code 1))))))
And maybe a log also in case the command succeeds. (So that would mean
to replace ‘unless’ with ‘if’).
> + '#$commands)
> + (exit script-code))))))))
>
> + (let loop ((attempt 0))
> + (let ((code (status:exit-val
> + (system* #$(certbot-command config)))))
> + (cond
> + ((and (= code 2) ; Exit code 2 means connection error
> + (< attempt 12)) ; 12 * 10 seconds = 2 minutes
^------
This comment is not true because certbot takes time to execute (around
15s on my vm). I don't think there is a need to be that precise. Maybe
you can just add in in the let form, as in (let ((code ...)
(max-attempts 12)).
> + (sleep 10)
> + (loop (1+ attempt)))
> + ((zero? code)
> + ;; Success!
> + #t)
> + (else
> + ;; Failure.
> + #f))))))
Also could you update the example in the docs?
From the doc:
>> @defvar certbot-service-type
>> A service type for the @code{certbot} Let's Encrypt client. Its value
>> must be a @code{certbot-configuration} record as in this example:
>>
>> @lisp
>> (define %certbot-deploy-hook
>> (program-file "certbot-deploy-hook.scm"
>> (with-imported-modules '((gnu services herd))
>> #~(begin
>> (use-modules (gnu services herd))
>> (with-shepherd-action 'nginx ('reload) result result)))))
^
This part isn't useful anymore. However, we could add a
nginx-service-type and a dhcp-client-service-type so that people have an
idea of what the minimal config is, maybe like I did in my first review:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23.
>> (service certbot-service-type
>> (certbot-configuration
>> (email "foo@@example.net")
>> (certificates
>> (list
>> (certificate-configuration
>> (domains '("example.net" "www.example.net"))
>> (deploy-hook %certbot-deploy-hook))
>> (certificate-configuration
>> (domains '("bar.example.net")))))))
>> @end lisp
We are almost there, thanks!
Clément
next prev parent reply other threads:[~2024-01-31 0:57 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-06 8:15 Nginx and certbot cervices don't play well togther Brice Waegeneire
2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-24 13:01 ` Carlo Zancanaro
2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-29 23:02 ` Carlo Zancanaro
2024-01-29 23:19 ` Clément Lassieur
2024-01-29 19:28 ` Clément Lassieur
2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro
2024-01-30 13:26 ` Carlo Zancanaro
2024-01-30 14:49 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-30 21:48 ` Carlo Zancanaro
2024-01-31 0:04 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
[not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com>
2024-01-30 19:39 ` bug#46961: " Clément Lassieur
2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-04-14 11:42 ` Carlo Zancanaro
2024-04-14 13:51 ` Carlo Zancanaro
2024-04-14 16:25 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-31 11:46 ` bug#46961: [PATCH v3 " Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx Carlo Zancanaro
2024-01-31 0:29 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-30 13:26 ` bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` Carlo Zancanaro
2024-01-31 0:55 ` Clément Lassieur [this message]
2024-01-31 11:50 ` bug#46961: Nginx and certbot cervices don't play well togther Carlo Zancanaro
2024-01-31 15:58 ` Clément Lassieur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfwms4mb.fsf_-_@lassieur.org \
--to=clement@lassieur.org \
--cc=46961@debbugs.gnu.org \
--cc=brice@waegenei.re \
--cc=carlo@zancanaro.id.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.