Change Details

The current Certbot implementation for all active development and lts branches is scattered accross multiple files and definitions. To show some: * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3 This scattered code makes the maintenance hard of a fragile feature. While I also tried to overcomplicate things in mapping stuff via a reverse proxy - which might break on renewals - we should look at this from a juniors perspective. If a certificate is renewed - the daemon consuming it MUST be restarted ion any case to make use of the new certificate. I noticed this fail once during a `haproxy` service consuming a certificate enrolled via ACME - making my reverse-proxy service broken (by not having an up2date cert) Change the implementation to stop the services consuming ACME certificates in advance - as they need to be restarted anyways. This way we will free the ports and `certbot` can do his job.

The current `certbot` / ACME implementation for all active development and LTS branches is scattered across multiple files and definitions. To show some: * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3 This scattered code makes the maintenance hard of a fragile feature. While I also tried to overcomplicate things in mapping stuff via a reverse proxy - which might break on renewals - we should look at this from a juniors perspective. If a certificate is renewed - the daemon consuming it MUST be restarted ion any case to make use of the new certificate. I noticed this fail once during a `haproxy` service consuming a certificate enrolled via ACME - making my reverse-proxy service broken (by not having an up2date cert) Change the implementation to stop the services consuming ACME certificates in advance - as they need to be restarted anyways. This way we will free the ports and `certbot` can do his job.

The current C`certbot` / ACME implementation for all active development and ltsLTS branches is scattered accross multiple files and definitions. To show some: * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3 This scattered code makes the maintenance hard of a fragile feature. While I also tried to overcomplicate things in mapping stuff via a reverse proxy - which might break on renewals - we should look at this from a juniors perspective. If a certificate is renewed - the daemon consuming it MUST be restarted ion any case to make use of the new certificate. I noticed this fail once during a `haproxy` service consuming a certificate enrolled via ACME - making my reverse-proxy service broken (by not having an up2date cert) Change the implementation to stop the services consuming ACME certificates in advance - as they need to be restarted anyways. This way we will free the ports and `certbot` can do his job.