Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: certbot renew #665

Merged
merged 1 commit into from
Jan 28, 2024
Merged

feat: certbot renew #665

merged 1 commit into from
Jan 28, 2024

Conversation

SteveLauC
Copy link
Member

Standards checklist:

  • The PR title is descriptive.
  • I have read CONTRIBUTING.md
  • The code compiles (cargo build)
  • The code passes rustfmt (cargo fmt)
  • The code passes clippy (cargo clippy)
  • The code passes tests (cargo test)
  • Optional: I have tested the code myself

For new steps

  • Optional: Topgrade skips this step where needed

  • Optional: The --dry-run option works with this step

  • Optional: The --yes option works with this step if it is supported by
    the underlying command

    The certbot command does not seem to support this feature, right @bw1faeh0?

If you developed a feature or a bug fix for someone else and you do not have the
means to test it, please tag this person here.

SteveLauC
SteveLauC commented Jan 26, 2024
View reviewed changes
src/steps/generic.rs
@@ -905,3 +908,16 @@ pub fn run_bob(ctx: &ExecutionContext) -> Result<()> {

ctx.run_type().execute(bob).args(["update", "--all"]).status_checked()
}

pub fn run_certbot(ctx: &ExecutionContext) -> Result<()> {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It simply executes sudo certbot renew:

$ ./target/debug/topgrade --only certbot

── 10:27:23 - Sudo ─────────────────────────────────────────────────────────────

── 10:27:23 - Certbot ──────────────────────────────────────────────────────────
certbot // fake output

── 10:27:23 - Summary ──────────────────────────────────────────────────────────
Certbot: OK
$ ./target/debug/topgrade --only certbot --dry-run

── 10:27:41 - Sudo ─────────────────────────────────────────────────────────────
Dry running: /usr/bin/sudo -v

── 10:27:41 - Certbot ──────────────────────────────────────────────────────────
Dry running: /usr/bin/sudo /home/steve/.local/bin/certbot renew

── 10:27:41 - Summary ──────────────────────────────────────────────────────────
Certbot: OK

@SteveLauC SteveLauC linked an issue Jan 26, 2024 that may be closed by this pull request
support letsencrypts certbot to renew certificates #651
Closed
@bw1faeh0
Copy link

The certbot command does not seem to support this feature, right @bw1faeh0?

Right. Since certbot asks the user no questions there is no --yes to set an default answer.

@bw1faeh0
Copy link

I tested the branch certbot from your repo:

❯ topgrade --version                                                                                                                                                                                                                                                                                                    
Topgrade 14.0.1                                                                                                                                                                                                                                                                                                         
❯ topgrade  
<...>
── 19:59:51 - Certbot ──────────────────────────────────────────────────────────
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.bw1faeh0.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/home.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/immich.bw1faeh0.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/cloud.bw1faeh0.dev/fullchain.pem expires on 2024-04-14 (skipped)
  /etc/letsencrypt/live/home.flaemig42.de/fullchain.pem expires on 2024-04-26 (skipped)
  /etc/letsencrypt/live/immich.bw1faeh0.dev/fullchain.pem expires on 2024-03-17 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

── 19:59:53 - Git repositories ─────────────────────────────────────────────────
Pulling /home/karotte/configFiles
Up-to-date /home/karotte/configFiles

── 19:59:54 - Summary ──────────────────────────────────────────────────────────
System update: OK
oh-my-zsh: OK
rustup: OK
cargo: OK
vim: OK
Containers: FAILED
Certbot: OK
Git repositories: OK

looks good so far, now a test with a failing certbot:

<snip>
── 20:06:46 - Certbot ──────────────────────────────────────────────────────────                                                                                                                                                                                                                                        
[sudo] Passwort für karotte:                                                                                                                                                                                                                                                                                            
Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/cloud.flaemig42.de.conf                                                                                                                                                                                                                                                             
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/data.flaemig42.de.conf                                                                                                                                                                                                                                                              
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/flaemig42.de-0001.conf                                                                                                                                                                                                                                                              
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/haus.flaemig42.de.conf                                                                                                                                                                                                                                                              
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/influxdb.flaemig42.de.conf                                                                                                                                                                                                                                                          
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                        
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Processing /etc/letsencrypt/renewal/meet.flaemig42.de.conf                                                                                                                                                                                                                                                              
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                                                                                         
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webmail.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webmail.flaemig42.de
Using the webroot path /home/www/mail.flaemig42.de for all unmatched domains.
Waiting for verification...
Challenge failed for domain webmail.flaemig42.de
http-01 challenge for webmail.flaemig42.de
Cleaning up challenges
Attempting to renew cert (webmail.flaemig42.de) from /etc/letsencrypt/renewal/webmail.flaemig42.de.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wetter.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/webmail.flaemig42.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/cloud.flaemig42.de/fullchain.pem expires on 2024-04-03 (skipped)
  /etc/letsencrypt/live/data.flaemig42.de/fullchain.pem expires on 2024-03-26 (skipped)
  /etc/letsencrypt/live/flaemig42.de-0001/fullchain.pem expires on 2024-03-31 (skipped)
  /etc/letsencrypt/live/haus.flaemig42.de/fullchain.pem expires on 2024-03-25 (skipped)
  /etc/letsencrypt/live/influxdb.flaemig42.de/fullchain.pem expires on 2024-03-29 (skipped)
  /etc/letsencrypt/live/meet.flaemig42.de/fullchain.pem expires on 2024-03-25 (skipped)
  /etc/letsencrypt/live/wetter.flaemig42.de/fullchain.pem expires on 2024-04-20 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/webmail.flaemig42.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: webmail.flaemig42.de
   Type:   connection
   Detail: 37.120.178.27: Fetching
   https://bircloud.flaemig42.de/.well-known/acme-challenge/HOcFNPJTDqeuxgm63janYI-MiDybgV0girhVZBKqSkE:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
Certbot failed: 
   0: Command failed: `/usr/bin/sudo /usr/bin/certbot renew`
   1: `/usr/bin/sudo` failed: exit status: 1

Location:
   src/steps/generic.rs:922
Retry? (y)es/(N)o/(s)hell/(q)uit

<snip>

── 20:07:34 - Summary ──────────────────────────────────────────────────────────
System update: OK
oh-my-zsh: OK
rustup: OK
cargo: OK
pip3: OK
vim: OK
Certbot: FAILED
Git repositories: OK

So, from my side the test was successful.

@SteveLauC SteveLauC merged commit 2e70d13 into topgrade-rs:main Jan 28, 2024
8 checks passed
@SteveLauC SteveLauC deleted the certbot branch January 28, 2024 05:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

support letsencrypts certbot to renew certificates
2 participants
@SteveLauC @bw1faeh0