On system reboot we can not run the ACME renew commands as this currently conflicts with OpenConnect binding on port 80 and thus re-using the port required by certbot to check for certificate renewal.
Elapsed 0.006 sec: Executing the "pki certificate vpn.xxx.net acme listen-address x.x.x.x" ... Elapsed 0.212 sec: Executing the "pki certificate vpn.xxx.net acme url https://acme-staging-v02.api.letsencrypt.org/directory" ... Elapsed 0.048 sec: Elapsed 0.780 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "pki" ... [ pki ] Updating configuration: "vpn openconnect ssl certificate vpn.xxx.net" Port 80 is already in use and not available to provide ACME challenge for "vpn.xxx.net"! Elapsed 0.027 sec: Elapsed 0.027 sec: _commit_exec_cfg_node [[pki]] failed Entering the _commit_check_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.004 sec: Elapsed 0.004 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.372 sec: Elapsed 0.372 sec: _commit_exec_cfg_node
The issue can be easily reproduced by extending this working configuration
set pki certificate FOO acme domain-name 'R1.vyos.net' set pki certificate FOO acme email 'causetellah@gmail.com' set pki certificate FOO acme url 'https://acme-staging-v02.api.letsencrypt.org/directory'
with
set pki certificate FOO acme listen-address <IP>
The issue is that when we check for available ports https://github.com/vyos/vyos-1x/blob/a3b62f290a90a374dca04c6400fd1619f36e808f/src/conf_mode/pki.py#L372 we can not bind to listen-address as the address we would like to bind to - is not net configured on the system.
In our case (ethernet) interfaces are configure AFTER PKI (and thus certbot) was run.
vyos@vyos:~$ /opt/vyatta/sbin/priority.pl | grep -E pki\|ethernet 300 interfaces/virtual-ethernet 300 pki 318 interfaces/ethernet