Change Details

Reproduce: ``` set pki certificate vyos acme domain-name 'router.vyos.net' set pki certificate vyos acme email 'foo@bar.com' set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' set vpn openconnect authentication local-users username soasdf564654 password 'vyos1234' set vpn openconnect authentication mode local 'password' set vpn openconnect network-settings client-ip-settings subnet '10.0.0.0/29' set vpn openconnect network-settings name-server '1.1.1.1' set vpn openconnect ssl certificate vyos ``` Force renewal using: `sudo /usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh" --force-renewal` The main issue is that if a certbot renewal is triggered, we do NOT add any dependencies to call other configuration paths https://github.com/vyos/vyos-1x/blob/f1ccb39b2a93b8a1cc0ee83403ee681910d22fbb/src/conf_mode/pki.py#L150-L151

Reproduce: ``` set pki certificate vyos acme domain-name 'router.vyos.net' set pki certificate vyos acme email 'foo@bar.com' set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' set vpn openconnect authentication local-users username soasdf564654 password 'vyos1234' set vpn openconnect authentication mode local 'password' set vpn openconnect network-settings client-ip-settings subnet '10.0.0.0/29' set vpn openconnect network-settings name-server '1.1.1.1' set vpn openconnect ssl certificate vyos ``` Force renewal using: `sudo /usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh" --force-renewal` The main issue is that if a certbot renewal is triggered, we do NOT add any dependencies to call other configuration paths https://github.com/vyos/vyos-1x/blob/f1ccb39b2a93b8a1cc0ee83403ee681910d22fbb/src/conf_mode/pki.py#L150-L151 This would do the immediate job - but it's only a partial fix and would call the openconnect dependency even it might not be needed at all. It also misses out e.g. IPSec VPN, HaProxy or http server ``` diff --git c/src/conf_mode/pki.py i/src/conf_mode/pki.py index acea2c9be..ea723e174 100755 --- c/src/conf_mode/pki.py +++ i/src/conf_mode/pki.py @@ -149,6 +149,7 @@ def get_config(config=None): if len(argv) > 1 and argv[1] == 'certbot_renew': pki['certbot_renew'] = {} + set_dependents('openconnect', conf) changed_keys = ['ca', 'certificate', 'dh', 'key-pair', 'openssh', 'openvpn'] @@ -506,7 +507,7 @@ def apply(pki): elif has_certbot and not is_systemd_service_active(systemd_certbot_name): call(f'systemctl restart {systemd_certbot_name}') - if 'changed' in pki: + if 'changed' in pki or 'certbot_renew' in pki: call_dependents() # Rebuild ca-certificates bundle ```

Reproduce: ``` set pki certificate vyos acme domain-name 'router.vyos.net' set pki certificate vyos acme email 'foo@bar.com' set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' set vpn openconnect authentication local-users username soasdf564654 password 'vyos1234' set vpn openconnect authentication mode local 'password' set vpn openconnect network-settings client-ip-settings subnet '10.0.0.0/29' set vpn openconnect network-settings name-server '1.1.1.1' set vpn openconnect ssl certificate vyos ``` Force renewal using: `sudo /usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh" --force-renewal` The main issue is that if a certbot renewal is triggered, we do NOT add any dependencies to call other configuration paths https://github.com/vyos/vyos-1x/blob/f1ccb39b2a93b8a1cc0ee83403ee681910d22fbb/src/conf_mode/pki.py#L150-L151 This would do the immediate job - but it's only a partial fix and would call the openconnect dependency even it might not be needed at all. It also misses out e.g. IPSec VPN, HaProxy or http server ``` diff --git c/src/conf_mode/pki.py i/src/conf_mode/pki.py index acea2c9be..ea723e174 100755 --- c/src/conf_mode/pki.py +++ i/src/conf_mode/pki.py @@ -149,6 +149,7 @@ def get_config(config=None): if len(argv) > 1 and argv[1] == 'certbot_renew': pki['certbot_renew'] = {} + set_dependents('openconnect', conf) changed_keys = ['ca', 'certificate', 'dh', 'key-pair', 'openssh', 'openvpn'] @@ -506,7 +507,7 @@ def apply(pki): elif has_certbot and not is_systemd_service_active(systemd_certbot_name): call(f'systemctl restart {systemd_certbot_name}') - if 'changed' in pki: + if 'changed' in pki or 'certbot_renew' in pki: call_dependents() # Rebuild ca-certificates bundle ```