Let's Encrypt doesn't auto renew

[CGamesPlay]

My phabricator instance needed to be bounced today because the Let's Encrypt certificate had expired. Is there already a mechanism to auto renew Let's Encrypt certs? If not, what's the best way to add one? I bet that Phabricator already has some kind of cron like service installed, but how to use it?

[hach-que]

Hmm, that sounds like a bug. It already has cron installed into the container, and the cron daemon is supposed to run every week to renew the certificates where needed:

cat >/etc/cron.weekly/letsencrypt <<EOF
#!bin/bash
/srv/letsencrypt/letsencrypt-auto certonly --keep --debug --agree-tos --webroot -w /srv/letsencrypt-webroot --email $SSL_EMAIL -d $PHABRICATOR_HOST
EOF

If you run docker exec -ti .... cat /etc/cron.weekly/letsencrypt, does it show that a file is at that location?

[CGamesPlay]

I can confirm that script exists on the new image and appears to be correct. I can also confirm cron is running in the new container.

Docker seems to have garbage collected the old container so I can't look at the failed instance. I'm happy to provide any logs if this happens again on the current container. The image ID is 60f6d3bea378

[hach-que]

Sure, if it does happen again, can you check that:

• The cron process is still running
• The /etc/cron.weekly/letsencrypt file is present, and
• Does running /etc/cron.weekly/letsencrypt manually via docker exec update the certificate and restore service?

[sheershoff]

1. the cron is running
2. /etc/cron.weekly/letsencrypt file is present,
3. running /etc/cron.weekly/letsencrypt manually produces the following:

d4c4a27fe9f1:/ # /etc/cron.weekly/letsencrypt
An unexpected error occurred:
Bug in pythondialog: expected an empty output from u'infobox', but got: u'Error opening terminal: unknown.\n'Please see the logfile 'certbot.log' for more details.

d4c4a27fe9f1:/ # cat certbot.log 
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 749, in main
    setup_logging(config)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 653, in setup_logging
    logger.info("Saving debug log to %s", log_file_path)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1160, in info
    self._log(INFO, msg, args, **kwargs)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1279, in _log
    self.handle(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1289, in handle
    self.callHandlers(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1329, in callHandlers
    hdlr.handle(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 757, in handle
    self.emit(record)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/log.py", line 64, in emit
    self.width + self.PADDING_WIDTH)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/dialog.py", line 2675, in infobox
    kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/dialog.py", line 1765, in _widget_with_no_output
    widget_name, output))
PythonDialogBug

Docker images:

phabricator@phab:~$ docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
hachque/phabricator   latest              1cc476a6c069        5 months ago        1.153 GB
mariadb               latest              1ada4b967325        5 months ago        386.5 MB

Should I just do docker pull hachque/phabricator? Will it break the installation?

[hach-que]

This should be fixed with the latest merged PR. I suggest waiting a little while for the Docker Hub to build the new image, then running docker pull to obtain the fix.

[hach-que]

And no, you can do docker pull hachque/phabricator at any time and things should not break. However you will get Phabricator automatically upgraded when you start the container if you haven't overridden the repositories or branches as outlined in Advanced Configuration.

[sheershoff]

For my instance it's enough to git pull (actually, I just edited the files in-place) and restart the container, since I do not build, I just run the container, and the fixes are in the files that get copied into on start. But it depends on configs/usage(build/run)/image version I suppose.