certbot: When using ACME certificates, consuming daemons are not reloaded on update
Open, Requires assessmentPublicBUG
Actions

Assigned To

Authored By

	c-po
	Sat, Mar 15, 9:55 PM

Description

Reproduce:

set pki certificate vyos acme domain-name 'router.vyos.net'
set pki certificate vyos acme email 'foo@bar.com'
set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory'

set vpn openconnect authentication local-users username soasdf564654 password 'vyos1234'
set vpn openconnect authentication mode local 'password'
set vpn openconnect network-settings client-ip-settings subnet '10.0.0.0/29'
set vpn openconnect network-settings name-server '1.1.1.1'
set vpn openconnect ssl certificate vyos

Force renewal using: sudo /usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh" --force-renewal

The main issue is that if a certbot renewal is triggered, we do NOT add any dependencies to call other configuration paths
https://github.com/vyos/vyos-1x/blob/f1ccb39b2a93b8a1cc0ee83403ee681910d22fbb/src/conf_mode/pki.py#L150-L151

This would do the immediate job - but it's only a partial fix and would call the openconnect dependency even it might not be needed at all. It also misses out e.g. IPSec VPN, HaProxy or http server

diff --git c/src/conf_mode/pki.py i/src/conf_mode/pki.py
index acea2c9be..ea723e174 100755
--- c/src/conf_mode/pki.py
+++ i/src/conf_mode/pki.py
@@ -149,6 +149,7 @@ def get_config(config=None):

     if len(argv) > 1 and argv[1] == 'certbot_renew':
         pki['certbot_renew'] = {}
+        set_dependents('openconnect', conf)

     changed_keys = ['ca', 'certificate', 'dh', 'key-pair', 'openssh', 'openvpn']

@@ -506,7 +507,7 @@ def apply(pki):
     elif has_certbot and not is_systemd_service_active(systemd_certbot_name):
         call(f'systemctl restart {systemd_certbot_name}')

-    if 'changed' in pki:
+    if 'changed' in pki or 'certbot_renew' in pki:
         call_dependents()

         # Rebuild ca-certificates bundle

Details

Version: 1.4.0
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)
Forum thread: https://forum.vyos.io/t/some-certboot-issue/16272

Related Objects
Search...

		Status	Subtype	Assigned	Task
		In progress	BUG	c-po	T7122 PKI: Unable to switch from custom cert to ACME when haproxy service is running
		Open	BUG	c-po	T7249 certbot: When using ACME certificates, consuming daemons are not reloaded on update

Event Timeline

c-po created this task.Sat, Mar 15, 9:55 PM

c-po claimed this task.Sat, Mar 15, 10:10 PM

c-po updated the task description. (Show Details)

c-po added a parent task: T7122: PKI: Unable to switch from custom cert to ACME when haproxy service is running.

pasik subscribed.Sun, Mar 16, 8:51 AM

certbot: When using ACME certificates, consuming daemons are not reloaded on updateOpen, Requires assessmentPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

certbot: When using ACME certificates, consuming daemons are not reloaded on update
Open, Requires assessmentPublicBUG
Actions

Related Objects
Search...