-
-
Notifications
You must be signed in to change notification settings - Fork 7.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
puppet: Use certbot package timer, not our own cron job. #20512
Conversation
e5b63c4
to
cc2321d
Compare
The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
lgtm. I think ideally we'd add a small "Upgrade notes" entry saying that the |
Are we planning to backport this to 4.x? If so, we probably want that upgrade notes entry to just be in the 4.9 section. |
This does seem important enough to backport. |
The change in flag name is necessary after zulip/zulip#20512.
The certbot package installs its own systemd timer (and cron job,
which disabled itself if systemd is enabled) which updates
certificates. This process races with the cron job which Zulip
installs -- the only difference being that Zulip respects the
certbot.auto_renew
setting, and that it passes the deploy hook.This means that occasionally nginx would not be reloaded, when the
systemd timer caught the expiration first.
Remove the custom cron job and
certbot-maybe-renew
script, andreconfigure certbot to always reload nginx after deploying, using
certbot directory hooks.
Since
certbot.auto_renew
can't have an effect, remove the setting.In turn, this removes the need for
--no-zulip-conf
tosetup-certbot
.--deploy-hook
is similarly removed, as runningdeploy hooks to restart nginx is now the default; pass
--no-directory-hooks
in standalone mode to not attempt to reloadnginx. The other property of
--deploy-hook
, of skipping symlinkinginto place, is given its own flog.
Testing plan: Untested.