-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create blacklist for configuration directives we can't safely copy over #4797
Comments
Forget me if I do not get it right, but title suggests that some configuration directives (such as WSGI) should be commented out (in apache .conf file) while performing automated install? Is it no problems with the installation later in such case? |
It will let Apache to run, and we have a chance to notify the user that there's something that needs manual attention. Currently Apache errors out in restart if such directives are copied over (they should be unique), then we are rolling back our configuration changes and erroring out ourselves. This change will let us at least configure TLS for the domain, and point the user towards the config that needs attention. |
Any updates on this? |
Cool now 0.31.0 is out and the new version does not longer copy the http config file. Instead it uses the https config as default and copy it (I had seperated configs as workaround for this bug). This becomes more and more a show stopper for me. |
Are you hitting the issue when renewing certificates or when installing a new certificate? The HTTP-01 renewal process should not copy any That said, even if we implement the black listing in the future, the behavior would most likely be to error out and tell the user that there's something Certbot cannot handle. This would have to be done as a security measure in order to not expose something in the filesystem ( |
I created the certs with: The problem does not occur on creating an cert (the http.conf is rather small):
On the https conf there is the php part:
If I renew the certificate now I get:
Line 50 is the If possible I would prefer if certbot handles this. |
This seems rather strange as Certbot shouldn't be copying the configuration files over in HTTP-01 challenge. Are you able to run In order to help you further, I would like to see the contents of |
Thank you for the help Yea configtest runs without problems:
I added the log file. |
Hello, If I start certbot with no argument, them pick the domain I want to renew, the process works:
The error only occurs with renew options. |
I have now debugged it and found the problem. The problem is not in the vhost config file.
And that's the Problem.
So apache includes the same vhost first with In my case an easy fix would be to not modify the apache2.conf at all.
|
Thanks for debugging this further! Apparently Certbot fails to detect that these The code that checks this status is called from: https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/parser.py#L648-L667 via https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/configurator.py#L833 So there might be some pathing issues due to symlinks and whatnot. I'll look into this in the near future. |
Thanks for pointing me to the right place. I added an print to the function
This returns me:
So certbot writes the files in
There are several flaws in my hack. I hope someone has an better idea for this problem. |
I'm still having this problem with certbot 0.36.0 |
I see it on certbot 1.2.0 as well. |
There are some configuration directives that break when duplicated. They are used somewhat rarely, and in very specific configurations. Instead of doing guesswork and trying to modify the directives, we should instead create a blacklisting mechanism that ignores (or comments off) the problematic statements / blocks.
If directives are disabled for the newly created HTTPS configuration, we should display a meaningful message pointing the user to the configuration file(s) that need manual modification.
Examples: #2726 #1820 #6495
The text was updated successfully, but these errors were encountered: