GNU bug report logs - #50423
‘certbot-configuration-deploy-hook’ is stateful

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 6 Sep 2021 07:54:02 UTC

Severity: normal

To reply to this bug, email your comments to 50423 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#50423; Package guix. (Mon, 06 Sep 2021 07:54:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 06 Sep 2021 07:54:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: ‘certbot-configuration-deploy-hook’ is
 stateful
Date: Mon, 06 Sep 2021 09:53:30 +0200

Hi,

I use certbot “deploy hooks” like this (excerpt from
‘hydra/bayfront.scm’ in guix/maintenance.git):

--8<---------------cut here---------------start------------->8---
(define %nginx-deploy-hook
  ;; Hook that restarts nginx when a new certificate is deployed.
  (program-file "nginx-deploy-hook"
                #~(let ((pid (call-with-input-file "/var/run/nginx/pid"
                               read)))
                    (kill pid SIGHUP))))

(define %certbot-configuration
  (certbot-configuration
   (webroot "/var/www")
   (email "ludovic.courtes <at> inria.fr")
   (certificates
    (list (certificate-configuration
           (domains '("bayfront.guix.gnu.org"
                      "logs.guix.gnu.org"
                      "bayfront.guix.info"
                      "hpc.guix.info"
                      "guix-hpc.bordeaux.inria.fr"
                      "coordinator.bayfront.guix.gnu.org"))
           (deploy-hook %nginx-deploy-hook))))))
--8<---------------cut here---------------end--------------->8---

The problem is that cerbot records the deploy hook file name once for
all:

--8<---------------cut here---------------start------------->8---
ludo <at> bayfront ~$ sudo grep -r ryb6000fbb4lyb4ad294srkj4x8m821w /etc/letsencrypt/
Password:
/etc/letsencrypt/renewal/hpc.guix.info.conf:renew_hook = /gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook
/etc/letsencrypt/renewal/guix-hpc.bordeaux.inria.fr.conf:renew_hook = /gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook
--8<---------------cut here---------------end--------------->8---

After GC, the certbot config ends up pointing to a non-existing hook:

--8<---------------cut here---------------start------------->8---
ludo <at> bayfront ~$ sudo certbot renew

[...]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hpc.guix.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for hpc.guix.info
Hook 'deploy-hook' reported error code 127
Hook 'deploy-hook' ran with error output:
 /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/sh: /gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook: No such file or directory
--8<---------------cut here---------------end--------------->8---

Most likely, the only solution would be to populate a fixed directory
name, say /etc/nginx/hooks/deploy, such that certbot configuration
remains valid.

Thoughts?

Ludo’.
This bug report was last modified 2 years and 231 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.