Bug ID | 1119619 |
---|---|
Summary | certbot does not renew certificates (again) |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | x86-64 |
OS | openSUSE Factory |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | jimc@math.ucla.edu |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Formerly I had python-certbot-0.26.1-1.1.noarch and it could renew certs. Now I have python3-certbot-0.28.0-2.1.noarch on OpenSuSE Tumbleweed VERSION="20181208" This is the one with the dependency on python-mock restored/added. It says "No renewals were attempted" on both of my hosts that use certbot. I tracked this down to a (non) migration issue: formerly the state dir was /etc/certbot but now it is /etc/letsencrypt, which of course contains no lineages, so no renewals were attempted. Workaround: mv /etc/letsencrypt /etc/letsencrypt.empty mv /etc/certbot /etc/letsencrypt ln -s letsencrypt certbot The symlink is so explicit filenames in config files, or symlinks in e.g. /etc/openssl/private, will still find the cert and key until I locate and fix them. Tested: my Apache webserver still can authenticate using the (not quite expired) old cert. I ran "certbot renew", its webroot challenges were acceptable (despite some DNAT stuff), and the report was: Congratulations, all renewals succeeded... (list of 1 renewed cert). Testing: the webserver successfully uses the new cert. By the way, old logs are in /var/log/certbot which is still there but is supplanted by /var/log/letsencrypt. It would be nice if the python3-certbot and python2-certbot packages had a migration script for users who are having trouble figuring out why their certs are not being renewed. I'm not sure whether migration scripts in packages should be reported upstream, or to the distro; if the former, let me know and I'll open a ticket upstream. Also I set the component to "security" since the X.509 certificate's purpose is security, but if a different component would be more appropriate please feel free to change it.