Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACME v1 v2 account reuse fails to create relative symlinks - breaks when paths change #7677

Open
diablodale opened this issue Jan 11, 2020 · 2 comments
Open

ACME v1 v2 account reuse fails to create relative symlinks - breaks when paths change #7677

diablodale opened this issue Jan 11, 2020 · 2 comments
Labels
area: acme area: cert management bug priority: unplanned Work that we believe should be done, but does not have a higher priority.

Comments

@diablodale
Copy link

The reuse account functionality, e.g. v2 can reuse v1 accounts, makes full canonical symlinks rather than relative symlinks. This leads to problems when the letsencrypt/ folder is moved, renamed, migrated, etc. This is in contrast to the relative symlink method already used between live/ and archive/.

certbot/certbot/certbot/_internal/account.py

Lines 182 to 203 in 9e5bca4

self._symlink_to_accounts_dir(prev_server_path, server_path)
except OSError:
return []
accounts = prev_accounts
return accounts
def find_all(self):
return self._find_all_for_server_path(self.config.server_path)
def _symlink_to_account_dir(self, prev_server_path, server_path, account_id):
prev_account_dir = self._account_dir_path_for_server_path(account_id, prev_server_path)
new_account_dir = self._account_dir_path_for_server_path(account_id, server_path)
os.symlink(prev_account_dir, new_account_dir)
def _symlink_to_accounts_dir(self, prev_server_path, server_path):
accounts_dir = self.config.accounts_dir_for_server_path(server_path)
if os.path.islink(accounts_dir):
os.unlink(accounts_dir)
else:
os.rmdir(accounts_dir)
prev_account_dir = self.config.accounts_dir_for_server_path(prev_server_path)
os.symlink(prev_account_dir, accounts_dir)

Setup

  • Ubuntu LTS 18.04.3
  • Certbot doesn't have to be installed
  • /etc/letsencrypt that has v1 and v2 account support and therefore has the v2 accounts directory symlinked to the v1 accounts directory

Repro

  1. Verify that the folder /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org contains a working symlink named directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
  2. mv /etc/letsencrypt /etc/letsencryptnew

Result

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org now contains a failing symlink. This is because that symlink was to the full canonical path instead of a relative path

Expected

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org contains a working symlink
@bmw bmw added priority: unplanned Work that we believe should be done, but does not have a higher priority. and removed priority: normal labels Mar 24, 2020
@github-actions
Copy link

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

@diablodale
Copy link
Author

I do not have the time to reproduce. You are welcome to use my steps in the OP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: acme area: cert management bug priority: unplanned Work that we believe should be done, but does not have a higher priority.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@diablodale @ohemorange @bmw