[Bug 1119619] New: certbot does not renew certificates (again)
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 Bug ID: 1119619 Summary: certbot does not renew certificates (again) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Factory Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jimc@math.ucla.edu QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Formerly I had python-certbot-0.26.1-1.1.noarch and it could renew certs. Now I have python3-certbot-0.28.0-2.1.noarch on OpenSuSE Tumbleweed VERSION="20181208" This is the one with the dependency on python-mock restored/added. It says "No renewals were attempted" on both of my hosts that use certbot. I tracked this down to a (non) migration issue: formerly the state dir was /etc/certbot but now it is /etc/letsencrypt, which of course contains no lineages, so no renewals were attempted. Workaround: mv /etc/letsencrypt /etc/letsencrypt.empty mv /etc/certbot /etc/letsencrypt ln -s letsencrypt certbot The symlink is so explicit filenames in config files, or symlinks in e.g. /etc/openssl/private, will still find the cert and key until I locate and fix them. Tested: my Apache webserver still can authenticate using the (not quite expired) old cert. I ran "certbot renew", its webroot challenges were acceptable (despite some DNAT stuff), and the report was: Congratulations, all renewals succeeded... (list of 1 renewed cert). Testing: the webserver successfully uses the new cert. By the way, old logs are in /var/log/certbot which is still there but is supplanted by /var/log/letsencrypt. It would be nice if the python3-certbot and python2-certbot packages had a migration script for users who are having trouble figuring out why their certs are not being renewed. I'm not sure whether migration scripts in packages should be reported upstream, or to the distro; if the former, let me know and I'll open a ticket upstream. Also I set the component to "security" since the X.509 certificate's purpose is security, but if a different component would be more appropriate please feel free to change it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 http://bugzilla.opensuse.org/show_bug.cgi?id=1119619#c2 Tomas Kuchta <tomas.kuchta@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomas.kuchta@gmail.com --- Comment #2 from Tomas Kuchta <tomas.kuchta@gmail.com> --- This exact issue is also present in leap opensuse 15.0 Perhaps the package in opensuse should use default /etc/letsencrypt instead of changing it to /etc/certbot at the certificate install only. Certbot is using default /etc/letsencrypt for other sub-commands. BTW: the link command for the workaround bellow need adjustment: mv /etc/letsencrypt /etc/letsencrypt.empty mv /etc/certbot /etc/letsencrypt (cd /etc ; ln -s letsencrypt certbot) After this all seems working fine. Hope this helps, Tomas -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 http://bugzilla.opensuse.org/show_bug.cgi?id=1119619#c3 Johannes Weberhofer <jweberhofer@weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jweberhofer@weberhofer.at --- Comment #3 from Johannes Weberhofer <jweberhofer@weberhofer.at> --- Currently the packages are maintained by @mcalabkova and @scarabeus_iv. It would be great see this issue solved. IMHO the package should automatically create the compatibility links if necessary. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 http://bugzilla.opensuse.org/show_bug.cgi?id=1119619#c4 Jon Brightwell <jon@moozaad.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jon@moozaad.co.uk --- Comment #4 from Jon Brightwell <jon@moozaad.co.uk> --- Confirmed on L15 `certbot certificates` doesn't list pre-existing certs from before the update. Linking to certbot fixes it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 Tomáš Chvátal <tchvatal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tchvatal@suse.com Assignee|dleuenberger@suse.com |mcalabkova@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 http://bugzilla.opensuse.org/show_bug.cgi?id=1119619#c9 Freek de Kruijf <freek@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freek@opensuse.org --- Comment #9 from Freek de Kruijf <freek@opensuse.org> --- I used python3-certbot version 0.36.0-2.1 on a Raspberry Pi 2B with arguments "certonly --manual" and it crashed. Error message: Segmentation error (core dumped). coredump could not be found. debug log: 2019-08-01 17:49:52,530:DEBUG:certbot.main:certbot version: 0.36.0 2019-08-01 17:49:52,533:DEBUG:certbot.main:Arguments: ['--manual'] 2019-08-01 17:49:52,534:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginE ntryPoint#standalone,PluginEntryPoint#webroot) 2019-08-01 17:49:52,667:DEBUG:certbot.log:Root logging level set at 20 2019-08-01 17:49:52,671:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2019-08-01 17:49:52,677:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None 2019-08-01 17:49:52,716:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual Description: Manual configuration or run your own shell scripts Interfaces: IAuthenticator, IPlugin Entry point: manual = certbot.plugins.manual:Authenticator Initialized: <certbot.plugins.manual.Authenticator object at 0xffff958f7e10> Prep: True 2019-08-01 17:49:52,720:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0xfff f958f7e10> and installer None 2019-08-01 17:49:52,721:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None 2019-08-01 17:49:52,749:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agr eement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme -v02.api.letsencrypt.org/acme/acct/46675256', new_authzr_uri=None, terms_of_service=None), 0f68e94ffa7bc96cf454d7d1152095bf, Meta(cr eation_dt=datetime.datetime(2018, 11, 28, 17, 2, 20, tzinfo=<UTC>), creation_host='bpim64tumpine.beelaertsict.nl'))> 2019-08-01 17:49:52,756:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2019-08-01 17:49:52,774:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 I used the python2 version, also 0.36.0-2.1 which did succeed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119619 http://bugzilla.opensuse.org/show_bug.cgi?id=1119619#c12 --- Comment #12 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1119619) was mentioned in https://build.opensuse.org/request/show/988418 Backports:SLE-15-SP4 / python-certbot -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com