Bug ID 1119619
Summary certbot does not renew certificates (again)
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Factory
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter jimc@math.ucla.edu
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

Formerly I had python-certbot-0.26.1-1.1.noarch and it could 
renew certs.  Now I have 
python3-certbot-0.28.0-2.1.noarch on OpenSuSE Tumbleweed VERSION="20181208"
This is the one with the dependency on python-mock restored/added.
It says "No renewals were attempted"  on both of my hosts that use certbot.  
I tracked this down to a (non) migration issue: formerly the state dir
was /etc/certbot but now it is /etc/letsencrypt, which of course contains
no lineages, so no renewals were attempted.  

Workaround: 
mv /etc/letsencrypt /etc/letsencrypt.empty
mv /etc/certbot /etc/letsencrypt
ln -s letsencrypt certbot
The symlink is so explicit filenames in config files, or symlinks in e.g. 
/etc/openssl/private, will still find the cert and key until I locate 
and fix them.  Tested: my Apache webserver still can authenticate using
the (not quite expired) old cert.  I ran "certbot renew", its webroot
challenges were acceptable (despite some DNAT stuff), and the report was:
Congratulations, all renewals succeeded... (list of 1 renewed cert).
Testing: the webserver successfully uses the new cert.  

By the way, old logs are in /var/log/certbot which is still there but is
supplanted by /var/log/letsencrypt.  

It would be nice if the python3-certbot and python2-certbot packages 
had a migration script for users who are having trouble figuring out 
why their certs are not being renewed.  

I'm not sure whether migration scripts in packages should be reported
upstream, or to the distro; if the former, let me know and I'll open a
ticket upstream.  Also I set the component to "security" since the X.509
certificate's purpose is security, but if a different component would
be more appropriate please feel free to change it.


You are receiving this mail because: