Summary

The current certbot / ACME certificate management implementation in VyOS is fragmented across multiple files and definitions, making maintenance difficult and renewal behavior unreliable for services consuming ACME certificates.

Affected Versions

All active development and LTS branches of VyOS.

Details

The Certbot / ACME handling logic is spread across several modules and scripts, including both configuration and operational mode files, helper scripts, and systemd overrides:

• src/op_mode/pki.py
• src/conf_mode/pki.py
• src/helpers/vyos-certbot-renew-pki.sh
• op-mode-definitions/pki.xml.in
• src/etc/systemd/system/certbot.service.d/10-override.conf

This fragmented design makes it difficult to maintain or extend the ACME/Certbot functionality. Additionally, certificate renewals can fail to propagate correctly to dependent services (e.g., HAProxy), resulting in outdated or invalid certificates being used.

Proposed Improvement

Refactor the Certbot/ACME handling logic into a single, centralized module or helper that manages:

• Service stop/restart before and after renewal.
• Dependency tracking between certificates and consuming services.
• Stop dependent services in advance of renewal to free bound ports (since they need to restart anyway).
• Ensure all ACME certificate consumers automatically reload/restart after a successful renewal.

Additional Notes

This issue was observed by me specifically with HAProxy consuming an ACME-managed certificate. After renewal, the proxy continued serving an outdated certificate until manually restarted.