letsencrypt package is now called certbot

[TJM]

I get the following on the command line:

Package letsencrypt is obsoleted by certbot, trying to install certbot-0.6.0-2.el7.noarch instead

Which results in a constant attempt to install letsencrypt package on systems:

Info: Applying configuration version '1466052442'
Notice: /Stage[main]/Letsencrypt::Install/Package[letsencrypt]/ensure: created
Info: Class[Letsencrypt::Install]: Scheduling refresh of Exec[initialize letsencrypt]
Notice: /Stage[main]/Letsencrypt/Exec[initialize letsencrypt]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 9.29 seconds

... because "letsencrypt" is not installed. ;)

[domcleal]

Do you have d28c04b (it's not in the latest release)? Alternatively setting allow_virtual => true might make it work.

[TJM]

No, it has not been released yet. I was hoping someone else had gotten sick of the "action/restart" every 30 mins too. Thanks @domcleal .

v1.0.0...master

There are a significant number of commits since the last release, perhaps we should push out a new release. ;)

[danzilio]

Will get a new release out in the next day or so :)

[danzilio]

New question: should we rename this module to certbot?

[TJM]

At least add certbot to the description and "tags" ... but it does seem logical to rename and then tag back to letsencrypt as certbot is letsencrypt client, right?

https://www.eff.org/deeplinks/2016/05/announcing-certbot-new-tls-robot

[domcleal]

I agree, it probably should be certbot now.

[fvanboven]

certbot seems like the right name.

[maxenced]

Btw, git repohas also be renamed to certbot ( https://github.com/certbot/certbot ) . Same occured for command names (certbot/certbot-auto).

[danzilio]

Thank you! I think I'm going to push one more release of letsencrypt with a notice that it's deprecated, and then I'll rename this module to certbot

[danzilio]

Just pushed to the certbot branch: https://github.com/danzilio/puppet-letsencrypt/compare/certbot

[maxenced]

Nice, will give it a try. Any reason to keep v0.4.2 as default version ? certbot is v0.8.1 right now (and should auto update to latest version itself btw).

[danzilio]

I just noticed that. I'll update the version!

[maxenced]

Still testing your branch, but looks like there is no venv neither cerbot vs certbot-auto commands. Basically, I had to set $command to the same as $command_init, ie : ${path}/certbot-auto so that command is :
/opt/certbot/certbot-auto --agree-tos certonly -a webroot --webroot-path /srv/www/certbot -d www.mydomain.com

[maxenced]

One more comment, live directory is still /etc/letsencrypt/live :)

[fvanboven]

FYI: We're testing the branch, seems to work quite nice. Only annoying (like @maxenced mentioned) that Certbot itself still has a bunch of "letsencrypt" references in there.

[seefood]

also, the nightly cron run explodes on a "python error", when I run the commandline manually I get a full screen message (ncurses?) about the cert not needing a renew and waiting for me to click OK. I don't see a CLI option to make it a quiet cron-friendly run. is this fixable with certbot or should I just switch to letsencrypt.sh?

[seefood]

just saw it does take -q and --non-interactive. can you fit that into the code or should I do a PR?

[danzilio]

Should we wait to release this module until certbot stabilizes? I'm just worried about the user experience here...

[danzilio]

@seefood I'll add -q to the cron command!

[seefood]

I did, and it does not help. the cronjob returns:

An unexpected error occurred:
PythonDialogBug
Please see the logfile 'certbot.log' for more details.

and

[root@puppet ~]# less certbot.log
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.8.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 718, in main
    cli.possible_deprecation_warning(config)
  File "/usr/lib/python2.7/site-packages/certbot/cli.py", line 161, in possible_deprecation_warning
    logger.warn("You are running with an old copy of certbot that does "
  File "/usr/lib64/python2.7/logging/__init__.py", line 1161, in warning
    self._log(WARNING, msg, args, **kwargs)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1268, in _log
    self.handle(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1278, in handle
    self.callHandlers(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 1318, in callHandlers
    hdlr.handle(record)
  File "/usr/lib64/python2.7/logging/__init__.py", line 749, in handle
    self.emit(record)
  File "/usr/lib/python2.7/site-packages/certbot/log.py", line 64, in emit
    self.width + self.PADDING_WIDTH)
  File "/usr/lib/python2.7/site-packages/dialog.py", line 2675, in infobox
    kwargs)
  File "/usr/lib/python2.7/site-packages/dialog.py", line 1765, in _widget_with_no_output
    widget_name, output))
PythonDialogBug

the commandline is certbot --agree-tos certonly -a webroot --keep-until-expiring --webroot-path /var/www/html/ -d <dom1> --webroot-path /var/www/html/ -d <dom2> -q

When I run it in a terminal it draws a ncurses-like blue screen with a white rectangle:

            ┌──────────────────────────────────────────────────────────────────────┐
            │ You are running with an old copy of certbot that does not receive    │
            │ updates, and is less reliable than more recent versions. We          │
            │ recommend upgrading to the latest certbot-auto script, or using      │
            │ native OS packages.                                                  │

how about we move to use a more cron-friendly client, like letsencrypt.sh? the way this is set up, I'm not going to get cert updates 90% of the time without manual intervention, and that's not an option.

[TJM]

I would recommend using OS native packages? :)

[seefood]

But I am...

[root@puppet alon]# yum install certbot
Package certbot-0.8.1-1.el7.noarch already installed and latest version
Nothing to do

[TJM]

@seefood sorry I thought I already responded to this, but I think we need to add --text to the cron job, there is an upstream bug that might be related certbot/certbot#2882 Sorry... there is also this: https://bugzilla.redhat.com/show_bug.cgi?id=1348391 .. which is a problem with the packages themselves.

I was still getting an error because I was trying to use certonly and the webserver needs to stop to give up the port (it would need to restart to use the new cert anyhow).

If anyone else here is running EL7, please test and add Karma here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-999186afcf

Thanks,
Tommy

[seefood]

So after -q --non-interactive worked nicely, --no-self-upgrade got rid of the final warning message, and I hope now the cronjob will quiet down till the certs are recreated. Thanks for the clues :-)

[TJM]

@danzilio - Can we get a release on this? ;)

[cpitkin]

PR #49 addresses this issue. Feel free to use the repo mentioned in the PR until it is merged into the mainline repo.

[claflico]

Any word on a release? Thanks.