New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let's Encrypt compatibility with python3 #1057

Merged
merged 2 commits into from Jan 7, 2019

Conversation

Projects
None yet
2 participants
@ouun
Copy link
Contributor

ouun commented Jan 4, 2019

The python script is not executable with Trellis >1.0.0 and Ptyhon >3. As I'm not familiar with python, this urgently needs some more tests but fixed it for me.
Please see: https://discourse.roots.io/t/task-letsencrypt-generate-the-certificates-usr-bin-env-python-no-such-file-or-directory/14493

Let's Encrypt compatibility with python3
The python script is not executable with Trellis >1.0.0 and Ptyhon >3. As I'm not familiar with python, this urgently needs some more tests but fixed it for me.
Please see: https://discourse.roots.io/t/task-letsencrypt-generate-the-certificates-usr-bin-env-python-no-such-file-or-directory/14493
@swalkinshaw

This comment has been minimized.

Copy link
Member

swalkinshaw commented Jan 5, 2019

Sorry we missed this... not very good on my part 😔

This all looks good although it does assume the python3 binary which may not exist on Ubuntu 16.04 installs. It would be nice to figure out a dynamic way of referring to the version. I'm looking into this now.

@ouun
Copy link
Contributor

ouun left a comment

Hi @swalkinshaw,

I'm absoluteley not sure about compatibility with python2 and as mentioned before I'm not into Python. However I hope that my findings can help.

Show resolved Hide resolved roles/letsencrypt/templates/renew-certs.py
Show resolved Hide resolved roles/letsencrypt/templates/renew-certs.py
Show resolved Hide resolved roles/letsencrypt/templates/renew-certs.py Outdated
Python3 compatibility: define strings
Define strings ' ' via b' '

@swalkinshaw swalkinshaw merged commit 899455e into roots:master Jan 7, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@swalkinshaw

This comment has been minimized.

Copy link
Member

swalkinshaw commented Jan 7, 2019

Thank you 🎉

@ouun ouun deleted the ouun:patch-1 branch Jan 7, 2019

@ouun

This comment has been minimized.

Copy link
Contributor

ouun commented Jan 7, 2019

No, thank you!

@swalkinshaw

This comment has been minimized.

Copy link
Member

swalkinshaw commented Jan 8, 2019

@ouun looking at this again (and testing it), I ran into an error. Is this currently working for you?

bundled_file.write(b''.join(b[cert, intermediate_cert]))
NameError: name 'b' is not defined

This makes sense since b only works for a string literal, not with an array. Got a new PR up: #1059

@ouun

This comment has been minimized.

Copy link
Contributor

ouun commented Jan 8, 2019

@swalkinshaw I'm not sure whether the following issue is related to the changes we did but I received the following error and didn't noticed that nginx is not running:

nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-01-08 16:31:24 UTC; 2min 4s ago
     Docs: man:nginx(8)
  Process: 4398 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 30426 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
  Process: 29348 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 6250 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
 Main PID: 29352 (code=exited, status=0/SUCCESS)

Jan 08 16:31:24 stag1-www-ouun systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 08 16:31:24 stag1-www-ouun nginx[6250]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/letsencrypt/dev.ouun.io.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Jan 08 16:31:24 stag1-www-ouun nginx[6250]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 16:31:24 stag1-www-ouun systemd[1]: nginx.service: Control process exited, code=exited status=1
Jan 08 16:31:24 stag1-www-ouun systemd[1]: nginx.service: Failed with result 'exit-code'.
Jan 08 16:31:24 stag1-www-ouun systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Unit nginx.service has begun starting up.
Jan 08 16:25:42 stag1-www-ouun nginx[4735]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/letsencrypt/dev.ouun.io.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Jan 08 16:25:42 stag1-www-ouun nginx[4735]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 16:25:42 stag1-www-ouun systemd[1]: nginx.service: Control process exited, code=exited status=1
Jan 08 16:25:42 stag1-www-ouun systemd[1]: nginx.service: Failed with result 'exit-code'.
Jan 08 16:25:42 stag1-www-ouun systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit nginx.service has failed.
--
-- The result is RESULT.
Jan 08 16:25:47 stag1-www-ouun sshd[4757]: Unable to negotiate with 218.92.1.153 port 23962: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

There was a mismatch (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) and I am wondering if that could be related to my suggested changes.

I'm very sorry that I'm coming up with so many issues, but they seem to be related somehow.

Bests

retlehs added a commit that referenced this pull request Jan 8, 2019

retlehs added a commit that referenced this pull request Jan 8, 2019

@swalkinshaw

This comment has been minimized.

Copy link
Member

swalkinshaw commented Jan 9, 2019

@ouun no problem at all. It's our fault anyway so thanks for reporting these bugs.

This looks to be the same issue as in https://discourse.roots.io/t/successful-remote-provision-and-deploy-all-i-see-is-nginx-welcome-screen/14536/

I think it's best if we move discussion there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment