Change Details

On system reboot we can not run the ACME renew commands as this currently conflicts with OpenConnect binding on port 80 and thus re-using the port required by `certbot` to check for certificate renewal. ``` Elapsed 0.006 sec: Executing the "pki certificate vpn.xxx.net acme listen-address x.x.x.x" ... Elapsed 0.212 sec: Executing the "pki certificate vpn.xxx.net acme url https://acme-staging-v02.api.letsencrypt.org/directory" ... Elapsed 0.048 sec: Elapsed 0.780 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "pki" ... [ pki ] Updating configuration: "vpn openconnect ssl certificate vpn.xxx.net" Port 80 is already in use and not available to provide ACME challenge for "vpn.xxx.net"! Elapsed 0.027 sec: Elapsed 0.027 sec: _commit_exec_cfg_node [[pki]] failed Entering the _commit_check_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.004 sec: Elapsed 0.004 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.372 sec: Elapsed 0.372 sec: _commit_exec_cfg_node ``` The issue can be easily reproduced by extending this working configuration ``` set pki certificate FOO acme domain-name 'LR5.wue4.mybll.net' set pki certificate FOO acme email 'causetellah@gmail.com' set pki certificate FOO acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` with ``` set pki certificate FOO acme listen-address <IP> ``` The issue is that when we check for available ports https://github.com/vyos/vyos-1x/blob/a3b62f290a90a374dca04c6400fd1619f36e808f/src/conf_mode/pki.py#L372 we can not bind to `listen-address` as the address we would like to bind to - is not net configured on the system. In our case (ethernet) interfaces are configure AFTER PKI (and thus `certbot`) was run. ``` vyos@vyos:~$ /opt/vyatta/sbin/priority.pl | grep -E pki\|ethernet 300 interfaces/virtual-ethernet 300 pki 318 interfaces/ethernet ```

On system reboot we can not run the ACME renew commands as this currently conflicts with OpenConnect binding on port 80 and thus re-using the port required by `certbot` to check for certificate renewal. ``` Elapsed 0.006 sec: Executing the "pki certificate vpn.xxx.net acme listen-address x.x.x.x" ... Elapsed 0.212 sec: Executing the "pki certificate vpn.xxx.net acme url https://acme-staging-v02.api.letsencrypt.org/directory" ... Elapsed 0.048 sec: Elapsed 0.780 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "pki" ... [ pki ] Updating configuration: "vpn openconnect ssl certificate vpn.xxx.net" Port 80 is already in use and not available to provide ACME challenge for "vpn.xxx.net"! Elapsed 0.027 sec: Elapsed 0.027 sec: _commit_exec_cfg_node [[pki]] failed Entering the _commit_check_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.004 sec: Elapsed 0.004 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.372 sec: Elapsed 0.372 sec: _commit_exec_cfg_node ``` The issue can be easily reproduced by extending this working configuration ``` set pki certificate FOO acme domain-name 'R1.vyos.net' set pki certificate FOO acme email 'causetellah@gmail.com' set pki certificate FOO acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` with ``` set pki certificate FOO acme listen-address <IP> ``` The issue is that when we check for available ports https://github.com/vyos/vyos-1x/blob/a3b62f290a90a374dca04c6400fd1619f36e808f/src/conf_mode/pki.py#L372 we can not bind to `listen-address` as the address we would like to bind to - is not net configured on the system. In our case (ethernet) interfaces are configure AFTER PKI (and thus `certbot`) was run. ``` vyos@vyos:~$ /opt/vyatta/sbin/priority.pl | grep -E pki\|ethernet 300 interfaces/virtual-ethernet 300 pki 318 interfaces/ethernet ```

On system reboot we can not run the ACME renew commands as this currently conflicts with OpenConnect binding on port 80 and thus re-using the port required by `certbot` to check for certificate renewal. ``` Elapsed 0.006 sec: Executing the "pki certificate vpn.xxx.net acme listen-address x.x.x.x" ... Elapsed 0.212 sec: Executing the "pki certificate vpn.xxx.net acme url https://acme-staging-v02.api.letsencrypt.org/directory" ... Elapsed 0.048 sec: Elapsed 0.780 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "pki" ... [ pki ] Updating configuration: "vpn openconnect ssl certificate vpn.xxx.net" Port 80 is already in use and not available to provide ACME challenge for "vpn.xxx.net"! Elapsed 0.027 sec: Elapsed 0.027 sec: _commit_exec_cfg_node [[pki]] failed Entering the _commit_check_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.004 sec: Elapsed 0.004 sec: _commit_check_cfg_node Entering the _commit_exec_cfg_node Executing the "interfaces loopback lo" ... Elapsed 0.372 sec: Elapsed 0.372 sec: _commit_exec_cfg_node ``` The issue can be easily reproduced by extending this working configuration ``` set pki certificate FOO acme domain-name 'LR5.wue4.mybll'R1.vyos.net' set pki certificate FOO acme email 'causetellah@gmail.com' set pki certificate FOO acme url 'https://acme-staging-v02.api.letsencrypt.org/directory' ``` with ``` set pki certificate FOO acme listen-address <IP> ``` The issue is that when we check for available ports https://github.com/vyos/vyos-1x/blob/a3b62f290a90a374dca04c6400fd1619f36e808f/src/conf_mode/pki.py#L372 we can not bind to `listen-address` as the address we would like to bind to - is not net configured on the system. In our case (ethernet) interfaces are configure AFTER PKI (and thus `certbot`) was run. ``` vyos@vyos:~$ /opt/vyatta/sbin/priority.pl | grep -E pki\|ethernet 300 interfaces/virtual-ethernet 300 pki 318 interfaces/ethernet ```