GNU bug report logs - #36389
nginx/certbot interaction doesn't work as documented

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Robert Vollmert <rob@HIDDEN>; dated Wed, 26 Jun 2019 08:40:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 36389 <at> debbugs.gnu.org:


Received: (at 36389) by debbugs.gnu.org; 26 Jun 2019 18:21:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 26 14:21:44 2019
Received: from localhost ([127.0.0.1]:37031 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hgCYC-0005DR-FP
	for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 14:21:44 -0400
Received: from mx2.mailbox.org ([80.241.60.215]:9100)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rob@HIDDEN>) id 1hgCYA-0005D3-1L
 for 36389 <at> debbugs.gnu.org; Wed, 26 Jun 2019 14:21:42 -0400
Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:1:0])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (No client certificate requested)
 by mx2.mailbox.org (Postfix) with ESMTPS id 733CEA1050
 for <36389 <at> debbugs.gnu.org>; Wed, 26 Jun 2019 20:21:35 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de
 [80.241.56.116]) (amavisd-new, port 10030)
 with ESMTP id WSGpeOoUgSgI for <36389 <at> debbugs.gnu.org>;
 Wed, 26 Jun 2019 20:21:34 +0200 (CEST)
From: Robert Vollmert <rob@HIDDEN>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: odd
Message-Id: <828259BC-1B2F-4741-975F-7E9E842AB750@HIDDEN>
Date: Wed, 26 Jun 2019 20:21:33 +0200
To: 36389 <at> debbugs.gnu.org
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 36389
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

I agree that it sounds odd, and some of my original diagnostic
must be skewed. After several configuration changes and
system reconfigurations and nginx restarts, I do appear to
have a sensible state currently, and I can=E2=80=99t reliably
reproduce the problems I had before. I=E2=80=99m also pretty sure I
didn=E2=80=99t imagine it all, though.


Here=E2=80=99s something else I ran into while getting there:

At some point, nginx was running, even after calling

# herd stop nginx

and herd did list it as stopped. That nginx instance that got
away from shepherd might have been involved in the earlier
trouble. (Is it ok for shepherd to lose track of a child like
that?)

Another thing was that I got a failed nginx configuration test
that didn=E2=80=99t make sense. Notably, it complained that

(a) the user directive `user nginx nginx;` is ineffective when
when not running as root and
(b) it didn=E2=80=99t have permission to access the letsencrypt keys.

Both of these indicate that the configuration test was not run
as root. I don=E2=80=99t see any reason in the code why that would
happen=E2=80=A6


I=E2=80=99ll keep an eye on it and see if something similar occurs
again.





Information forwarded to bug-guix@HIDDEN:
bug#36389; Package guix. Full text available.

Message received at 36389 <at> debbugs.gnu.org:


Received: (at 36389) by debbugs.gnu.org; 26 Jun 2019 09:32:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 26 05:32:13 2019
Received: from localhost ([127.0.0.1]:34258 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hg4Hl-0000rD-8T
	for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 05:32:13 -0400
Received: from mail-wr1-f47.google.com ([209.85.221.47]:36514)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex.sassmannshausen@HIDDEN>) id 1hg4Hh-0000qj-Fk
 for 36389 <at> debbugs.gnu.org; Wed, 26 Jun 2019 05:32:10 -0400
Received: by mail-wr1-f47.google.com with SMTP id n4so1893927wrs.3
 for <36389 <at> debbugs.gnu.org>; Wed, 26 Jun 2019 02:32:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=references:user-agent:from:to:cc:subject:reply-to:in-reply-to:date
 :message-id:mime-version:content-transfer-encoding;
 bh=YuS5gNluOQ1n5U2h+QVCKrwHAxsIS2o3vEpuI1/b3z4=;
 b=bXZtQ/IOpuvVRV9F+cVaWHpwNSk9LOtwdYHTcM8eYS5jDq3UFKAsLWPLlpnIv+Io0K
 KlOgLOOp5zJfnxl6jfZsVsDunU8BD/bgTvuXTFczRaLJDSangc+rubVjWORR/u1pMZug
 3041Zk8AyLTKK0Km5wPPTR0+mvdrUuyeMotC+MOAJs+dLaEGHcUf25N4qnFjjY0fsBJS
 CDFg3SBf5WZG4GiKuQ0intuO0dB8BooILoTdAmd5Jt1nAZbVPwNHejo4XkT+DZ+wkUp6
 vGHtpoQ7UpjxI5EdTjP+z6T65lz+8HA6kEpjXru9wuiR+CcFhyMaSI8zI89zyC5vHnS6
 L37w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:references:user-agent:from:to:cc:subject
 :reply-to:in-reply-to:date:message-id:mime-version
 :content-transfer-encoding;
 bh=YuS5gNluOQ1n5U2h+QVCKrwHAxsIS2o3vEpuI1/b3z4=;
 b=rugmioDJqEYBd2IySF3oacF7z59qsmbFjLS5VD95HzF83rI7u14kTXb4aFtF2fmhX/
 hxCL6+YEgiUL0vu85wINAfkKHhTckqYFNI8qgDVeCqNIz6EBai5kRGJInXj+V3YqArnS
 3apGMX7mi6eKYEZSck5kWogJp6FzdmZoz4RbynYiHAH3RQ3ZpcX3dMODlaOsKdZt7KVq
 wbUwaLu0GgK1NfmQvYpyiTjTwmAxWEeB5Hj093YvpPgk7RJo3NWdlTd+KKbKkxwb7k4R
 UnmBXREdXyxRL+AXArrSlAnypWNbROeTVirAuqjINdBjpbCwZPs50xlpxP1cnfRmV3dK
 JIUA==
X-Gm-Message-State: APjAAAUq6l08YGjYyFjRLIVw/V2X5MngAA+fITk+ig2IYGxmEzWuO0LU
 pzevr28ncTxifkyGnSHu5fSEALFAVcY=
X-Google-Smtp-Source: APXvYqx2UqdTyhJHQFz6sapgEX433ti6q6wUtOSLDkwmkifjUVOTQuxAENIIGwwCk9+mmKnAAPKqjQ==
X-Received: by 2002:adf:fb81:: with SMTP id a1mr2649799wrr.329.1561541523122; 
 Wed, 26 Jun 2019 02:32:03 -0700 (PDT)
Received: from watership ([87.236.135.19])
 by smtp.gmail.com with ESMTPSA id w7sm1037048wmc.46.2019.06.26.02.32.02
 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
 Wed, 26 Jun 2019 02:32:02 -0700 (PDT)
References: <249AC56B-BE05-4162-B65D-618490163CB0@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Alex Sassmannshausen <alex.sassmannshausen@HIDDEN>
To: bug-guix@HIDDEN
Subject: Re: bug#36389: nginx/certbot interaction doesn't work as documented
In-reply-to: <249AC56B-BE05-4162-B65D-618490163CB0@HIDDEN>
Date: Wed, 26 Jun 2019 10:31:57 +0100
Message-ID: <875zos3d6a.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36389
Cc: 36389 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: alex.sassmannshausen@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Robert,

Robert Vollmert <rob@HIDDEN> writes:

> I=E2=80=99ve tried setting up nginx with certbot on guix. Two immediate i=
ssues:
>
> - certbot extends the nginx service to serve challenge files. It appears
>   that this nginx service extension conflicts (silently) with an independ=
ently
>   configured nginx service. I.e., I had nginx previously configured, and
>   after adding certbot, my previous nginx kept running with the previous
>   configuration (even after herd restart nginx), while there was an addit=
ional
>   nginx config in the gnu store with the certbot-specific fragments. cert=
bot
>   activation called nginx to test that fragment, but apparently never sta=
rted
>   nginx (successfully?). There were no errors.
>
>   After removing the stand-alone nginx service and restarting nginx, it s=
tarted
>   with the certbot configuration.

This sounds odd, and I don't recall having this issue on my servers with
nginx SSL server configuration extended with certbot service.

>
> - After this, /var/lib/certbot/renew worked successfully to register a
>   certificate, but then failed when calling the nginx deploy hook that I=
=E2=80=99d
>   copied from the guix certbot documentation, because /var/run/nginx/pid
>   doesn=E2=80=99t exist. That might be a bug in the nginx package, not su=
re. I can=E2=80=99t
>   find an nginx pid file anywhere, and no other errors related to it eith=
er,
>   even though the config file includes
>  pid /var/run/nginx/pid;

The pid exists on my servers running an SSL nginx server config
configuration extended with certbot.

I've found the certbot & nginx services, overall, work very well
together.  But there are a couple of gotchas in my experience:

- The certbot service includes a redirect from port 80 to 443 for all
  except .well-known location.  By itself this may cause no problems for
  you.

- If deploying on a server that hitherto has no SSL certificate you have
  a chicken and egg problem: you will want your site to be configured to
  use the letsencrypt cert directories, to serve ssl (the redirect means
  any non-ssl deployments won't work anyway), but those directories
  don't yet exist as you haven't generated certs with certbot yet.

Here's a journey that should work:
- run system configuration with just the certbot service
- use certbot to generate your initial certificates
- reconfigure with additional nginx server configuration, pointing to
  the SSL certificates created by certbot

If the above is not helpful, perhaps you could share the nginx
configuration generated when you have both certbot & your custom server
running?

Can't promise anything, but we might be able to spot what's happening.

Best wishes,

Alex




Information forwarded to bug-guix@HIDDEN:
bug#36389; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Jun 2019 09:32:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 26 05:32:09 2019
Received: from localhost ([127.0.0.1]:34255 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hg4Hg-0000qu-Sc
	for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 05:32:09 -0400
Received: from lists.gnu.org ([209.51.188.17]:36293)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alex.sassmannshausen@HIDDEN>) id 1hg4Hf-0000qn-Ok
 for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 05:32:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:35104)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <alex.sassmannshausen@HIDDEN>) id 1hg4He-0001ze-Gx
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 05:32:07 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alex.sassmannshausen@HIDDEN>) id 1hg4Hd-0000Eg-9K
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 05:32:06 -0400
Received: from mail-wr1-x42d.google.com ([2a00:1450:4864:20::42d]:37322)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alex.sassmannshausen@HIDDEN>)
 id 1hg4Hd-0000Cv-2r
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 05:32:05 -0400
Received: by mail-wr1-x42d.google.com with SMTP id v14so1885279wrr.4
 for <bug-guix@HIDDEN>; Wed, 26 Jun 2019 02:32:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=references:user-agent:from:to:cc:subject:reply-to:in-reply-to:date
 :message-id:mime-version:content-transfer-encoding;
 bh=YuS5gNluOQ1n5U2h+QVCKrwHAxsIS2o3vEpuI1/b3z4=;
 b=bXZtQ/IOpuvVRV9F+cVaWHpwNSk9LOtwdYHTcM8eYS5jDq3UFKAsLWPLlpnIv+Io0K
 KlOgLOOp5zJfnxl6jfZsVsDunU8BD/bgTvuXTFczRaLJDSangc+rubVjWORR/u1pMZug
 3041Zk8AyLTKK0Km5wPPTR0+mvdrUuyeMotC+MOAJs+dLaEGHcUf25N4qnFjjY0fsBJS
 CDFg3SBf5WZG4GiKuQ0intuO0dB8BooILoTdAmd5Jt1nAZbVPwNHejo4XkT+DZ+wkUp6
 vGHtpoQ7UpjxI5EdTjP+z6T65lz+8HA6kEpjXru9wuiR+CcFhyMaSI8zI89zyC5vHnS6
 L37w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:references:user-agent:from:to:cc:subject
 :reply-to:in-reply-to:date:message-id:mime-version
 :content-transfer-encoding;
 bh=YuS5gNluOQ1n5U2h+QVCKrwHAxsIS2o3vEpuI1/b3z4=;
 b=N8r/NBRp8MAZDH9G9UlXnI1xchW+j/D0y6kkVoFHd5OK9NVf6BKDDhsqVLY35j2lBK
 GwfudUOH1pJRA2wiVMuVbe43sbLqP4/xQrjwYdAD1YSab2mNGC01qe3jZMzJ1PB8XnFn
 ABTLkb3IHo7uVApyJ8DRNsmE5tUpT6bZIC/5xJj16WALAfRsM/Zci24u6Qb5tPuKp+jj
 VV2fztMXpI+RXV351MIDgz4A5hxcgIU5TXdFh5iG0zd6L3kaVnLIGmSgaceUSUAJc9Fy
 edJS/4aObRV6mdGf6JahdYiaIb2v2lnl8gbpyyiZ6YCTzmriBISU4ssIyk9a3zDX01V2
 HEtQ==
X-Gm-Message-State: APjAAAXKH+Bgkv+zSkpjv7RNi2hq6K7as3hn9s7xFjPI6XNKGwFSikWy
 YNBpAVn2MhYSQ7y2/OsSyGMWhcUayeU=
X-Google-Smtp-Source: APXvYqx2UqdTyhJHQFz6sapgEX433ti6q6wUtOSLDkwmkifjUVOTQuxAENIIGwwCk9+mmKnAAPKqjQ==
X-Received: by 2002:adf:fb81:: with SMTP id a1mr2649799wrr.329.1561541523122; 
 Wed, 26 Jun 2019 02:32:03 -0700 (PDT)
Received: from watership ([87.236.135.19])
 by smtp.gmail.com with ESMTPSA id w7sm1037048wmc.46.2019.06.26.02.32.02
 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
 Wed, 26 Jun 2019 02:32:02 -0700 (PDT)
References: <249AC56B-BE05-4162-B65D-618490163CB0@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Alex Sassmannshausen <alex.sassmannshausen@HIDDEN>
To: bug-guix@HIDDEN
Subject: Re: bug#36389: nginx/certbot interaction doesn't work as documented
In-reply-to: <249AC56B-BE05-4162-B65D-618490163CB0@HIDDEN>
Date: Wed, 26 Jun 2019 10:31:57 +0100
Message-ID: <875zos3d6a.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::42d
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: 36389 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: alex.sassmannshausen@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi Robert,

Robert Vollmert <rob@HIDDEN> writes:

> I=E2=80=99ve tried setting up nginx with certbot on guix. Two immediate i=
ssues:
>
> - certbot extends the nginx service to serve challenge files. It appears
>   that this nginx service extension conflicts (silently) with an independ=
ently
>   configured nginx service. I.e., I had nginx previously configured, and
>   after adding certbot, my previous nginx kept running with the previous
>   configuration (even after herd restart nginx), while there was an addit=
ional
>   nginx config in the gnu store with the certbot-specific fragments. cert=
bot
>   activation called nginx to test that fragment, but apparently never sta=
rted
>   nginx (successfully?). There were no errors.
>
>   After removing the stand-alone nginx service and restarting nginx, it s=
tarted
>   with the certbot configuration.

This sounds odd, and I don't recall having this issue on my servers with
nginx SSL server configuration extended with certbot service.

>
> - After this, /var/lib/certbot/renew worked successfully to register a
>   certificate, but then failed when calling the nginx deploy hook that I=
=E2=80=99d
>   copied from the guix certbot documentation, because /var/run/nginx/pid
>   doesn=E2=80=99t exist. That might be a bug in the nginx package, not su=
re. I can=E2=80=99t
>   find an nginx pid file anywhere, and no other errors related to it eith=
er,
>   even though the config file includes
>  pid /var/run/nginx/pid;

The pid exists on my servers running an SSL nginx server config
configuration extended with certbot.

I've found the certbot & nginx services, overall, work very well
together.  But there are a couple of gotchas in my experience:

- The certbot service includes a redirect from port 80 to 443 for all
  except .well-known location.  By itself this may cause no problems for
  you.

- If deploying on a server that hitherto has no SSL certificate you have
  a chicken and egg problem: you will want your site to be configured to
  use the letsencrypt cert directories, to serve ssl (the redirect means
  any non-ssl deployments won't work anyway), but those directories
  don't yet exist as you haven't generated certs with certbot yet.

Here's a journey that should work:
- run system configuration with just the certbot service
- use certbot to generate your initial certificates
- reconfigure with additional nginx server configuration, pointing to
  the SSL certificates created by certbot

If the above is not helpful, perhaps you could share the nginx
configuration generated when you have both certbot & your custom server
running?

Can't promise anything, but we might be able to spot what's happening.

Best wishes,

Alex




Information forwarded to bug-guix@HIDDEN:
bug#36389; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Jun 2019 08:39:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 26 04:39:33 2019
Received: from localhost ([127.0.0.1]:34200 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hg3Sn-00082e-97
	for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 04:39:33 -0400
Received: from lists.gnu.org ([209.51.188.17]:45046)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rob@HIDDEN>) id 1hg3Sk-00082V-Qv
 for submit <at> debbugs.gnu.org; Wed, 26 Jun 2019 04:39:31 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49257)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <rob@HIDDEN>) id 1hg3Sj-0008M0-Q1
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 04:39:30 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rob@HIDDEN>) id 1hg3Si-0006zU-SK
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 04:39:29 -0400
Received: from mx2.mailbox.org ([80.241.60.215]:9438)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <rob@HIDDEN>) id 1hg3Si-0006xR-Kp
 for bug-guix@HIDDEN; Wed, 26 Jun 2019 04:39:28 -0400
Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:1:0])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (No client certificate requested)
 by mx2.mailbox.org (Postfix) with ESMTPS id 93155A0D15
 for <bug-guix@HIDDEN>; Wed, 26 Jun 2019 10:39:25 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de
 [80.241.56.115]) (amavisd-new, port 10030)
 with ESMTP id h68mzkaAKJVp for <bug-guix@HIDDEN>;
 Wed, 26 Jun 2019 10:39:23 +0200 (CEST)
From: Robert Vollmert <rob@HIDDEN>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: nginx/certbot interaction doesn't work as documented
Message-Id: <249AC56B-BE05-4162-B65D-618490163CB0@HIDDEN>
Date: Wed, 26 Jun 2019 10:39:22 +0200
To: bug-guix@HIDDEN
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 80.241.60.215
X-Spam-Score: -1.6 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.6 (--)

I=E2=80=99ve tried setting up nginx with certbot on guix. Two immediate =
issues:

- certbot extends the nginx service to serve challenge files. It appears
  that this nginx service extension conflicts (silently) with an =
independently
  configured nginx service. I.e., I had nginx previously configured, and
  after adding certbot, my previous nginx kept running with the previous
  configuration (even after herd restart nginx), while there was an =
additional
  nginx config in the gnu store with the certbot-specific fragments. =
certbot
  activation called nginx to test that fragment, but apparently never =
started
  nginx (successfully?). There were no errors.

  After removing the stand-alone nginx service and restarting nginx, it =
started
  with the certbot configuration.

- After this, /var/lib/certbot/renew worked successfully to register a
  certificate, but then failed when calling the nginx deploy hook that =
I=E2=80=99d
  copied from the guix certbot documentation, because /var/run/nginx/pid
  doesn=E2=80=99t exist. That might be a bug in the nginx package, not =
sure. I can=E2=80=99t
  find an nginx pid file anywhere, and no other errors related to it =
either,
  even though the config file includes
    pid /var/run/nginx/pid;





Acknowledgement sent to Robert Vollmert <rob@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#36389; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.