Issue appeared while working with certbot and forcing vertificate renews with the staging API.
Configuring ACME works out of the box
set pki certificate LR5.wue4 acme domain-name 'LR5.wue4.vyos.net' set pki certificate LR5.wue4 acme email 'foo@bar.com' set pki certificate LR5.wue4 acme url 'https://acme-staging-v02.api.letsencrypt.org/directory'
Certs are created and handled via classical symlinks - as ceretbot does
cpo@LR5.wue4:~$ sudo ls -la /config/auth/letsencrypt/live/LR5.wue4 total 12 drwxr-sr-x 2 root vyattacfg 4096 Mar 28 19:17 . drwx--S--- 3 root vyattacfg 4096 Mar 28 19:17 .. lrwxrwxrwx 1 root vyattacfg 32 Mar 28 19:17 cert.pem -> ../../archive/LR5.wue4/cert1.pem lrwxrwxrwx 1 root vyattacfg 33 Mar 28 19:17 chain.pem -> ../../archive/LR5.wue4/chain1.pem lrwxrwxrwx 1 root vyattacfg 37 Mar 28 19:17 fullchain.pem -> ../../archive/LR5.wue4/fullchain1.pem lrwxrwxrwx 1 root vyattacfg 35 Mar 28 19:17 privkey.pem -> ../../archive/LR5.wue4/privkey1.pem -rw-r--r-- 1 root vyattacfg 692 Mar 28 19:17 README
Now upgrading VyOS to a newer image will copy the /config contents to the new image. This results in symlinks beeing resolved and no longer be a link but rather a copy
cpo@LR5.wue4:~$ sudo ls -la /config/auth/letsencrypt/archive/LR5.wue4 total 24 drwxr-sr-x 2 root vyattacfg 4096 Mar 28 19:17 . drwx--S--- 3 root vyattacfg 4096 Mar 28 19:17 .. -rw-r--r-- 1 root vyattacfg 1923 Mar 28 19:20 cert1.pem -rw-r--r-- 1 root vyattacfg 1899 Mar 28 19:20 chain1.pem -rw-r--r-- 1 root vyattacfg 3822 Mar 28 19:20 fullchain1.pem -rw------- 1 root vyattacfg 1704 Mar 28 19:20 privkey1.pem
You can no longer renew your certificates using certbot
cpo@LR5.wue4:~$ renew certbot Job for certbot.service failed because the control process exited with error code. See "systemctl status certbot.service" and "journalctl -xeu certbot.service" for details.
Mar 28 19:29:07 LR5.wue4 certbot[3435]: Saving debug log to /var/log/letsencrypt/letsencrypt.log Mar 28 19:29:07 LR5.wue4 certbot[3435]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mar 28 19:29:07 LR5.wue4 certbot[3435]: Processing /config/auth/letsencrypt/renewal/LR5.wue4.conf Mar 28 19:29:07 LR5.wue4 certbot[3435]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mar 28 19:29:07 LR5.wue4 certbot[3435]: Renewal configuration file /config/auth/letsencrypt/renewal/LR5.wue4.conf is broken. Mar 28 19:29:07 LR5.wue4 certbot[3435]: The error was: expected /config/auth/letsencrypt/live/LR5.wue4/cert.pem to be a symlink Mar 28 19:29:07 LR5.wue4 certbot[3435]: Skipping. Mar 28 19:29:07 LR5.wue4 certbot[3435]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mar 28 19:29:07 LR5.wue4 certbot[3435]: No renewals were attempted. Mar 28 19:29:07 LR5.wue4 certbot[3435]: No hooks were run. Mar 28 19:29:07 LR5.wue4 certbot[3435]: Additionally, the following renewal configurations were invalid: Mar 28 19:29:07 LR5.wue4 certbot[3435]: /config/auth/letsencrypt/renewal/LR5.wue4.conf (parsefail) Mar 28 19:29:07 LR5.wue4 certbot[3435]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mar 28 19:29:07 LR5.wue4 certbot[3435]: 0 renew failure(s), 1 parse failure(s)