Change Details

The current `certbot` / ACME implementation for all active development and LTS branches is scattered across multiple files and definitions. To show some: * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577 * https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3 This scattered code makes the maintenance hard of a fragile feature. While I also tried to overcomplicate things in mapping stuff via a reverse proxy - which might break on renewals - we should look at this from a juniors perspective. If a certificate is renewed - the daemon consuming it MUST be restarted ion any case to make use of the new certificate. I noticed this fail once during a `haproxy` service consuming a certificate enrolled via ACME - making my reverse-proxy service broken (by not having an up2date cert) Change the implementation to stop the services consuming ACME certificates in advance - as they need to be restarted anyways. This way we will free the ports and `certbot` can do his job.

## Summary The current `certbot` / ACME certificate management implementation in VyOS is fragmented across multiple files and definitions, making maintenance difficult and renewal behavior unreliable for services consuming ACME certificates. ## Affected Versions All active development and LTS branches of VyOS. ## Details The Certbot / ACME handling logic is spread across several modules and scripts, including both configuration and operational mode files, helper scripts, and systemd overrides: * [src/op_mode/pki.py](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377) * [src/conf_mode/pki.py](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127) * [src/helpers/vyos-certbot-renew-pki.sh](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh) * [op-mode-definitions/pki.xml.in](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577) * [src/etc/systemd/system/certbot.service.d/10-override.conf](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3) This fragmented design makes it difficult to maintain or extend the ACME/Certbot functionality. Additionally, certificate renewals can fail to propagate correctly to dependent services (e.g., HAProxy), resulting in outdated or invalid certificates being used. ## Proposed Improvement Refactor the Certbot/ACME handling logic into a single, centralized module or helper that manages: * Service stop/restart before and after renewal. * Dependency tracking between certificates and consuming services. * Clear error handling and logging. * Stop dependent services in advance of renewal to free bound ports (since they need to restart anyway). * Ensure all ACME certificate consumers automatically reload/restart after a successful renewal. ## Additional Notes This issue was observed by me specifically with HAProxy consuming an ACME-managed certificate. After renewal, the proxy continued serving an outdated certificate until manually restarted.

The current `certbot` / ACME implementation for all active development and LTS branches is scattered across multiple files and definitions.## Summary To show some:he current `certbot` / ACME certificate management implementation in VyOS is fragmented across multiple files and definitions, making maintenance difficult and renewal behavior unreliable for services consuming ACME certificates. * ## Affected Versions All active development and LTS branches of VyOS. ## Details The Certbot / ACME handling logic is spread across several modules and scripts, including both configuration and operational mode files, helper scripts, and systemd overrides: * [src/op_mode/pki.py](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/op_mode/pki.py#L1377) * [src/conf_mode/pki.py](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/conf_mode/pki.py#L127) * [src/helpers/vyos-certbot-renew-pki.sh](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/helpers/vyos-certbot-renew-pki.sh) * [op-mode-definitions/pki.xml.in](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/op-mode-definitions/pki.xml.in#L577) * [src/etc/systemd/system/certbot.service.d/10-override.conf](https://github.com/vyos/vyos-1x/blob/c284938df61b5e970dd13cde03e0693254e89211/src/etc/systemd/system/certbot.service.d/10-override.conf#L3) This scattered code makes the maintenance hard of a fragile featurefragmented design makes it difficult to maintain or extend the ACME/Certbot functionality. Additionally, certificate renewals can fail to propagate correctly to dependent services (e.g., HAProxy), resulting in outdated or invalid certificates being used. While I also tried to overcomplicate things in mapping stuff via a reverse proxy - which might break on renewals - we should look at this from a juniors perspective. If a certificate is renewed - the daemon consuming it MUST be restarted ion any case to make use of the new certificate.## Proposed Improvement I noticed this fail once during a `haproxy` service consuming a certificate enrolled via ACME - making my reverse-proxy service broken (by not having an up2date cert)Refactor the Certbot/ACME handling logic into a single, centralized module or helper that manages: Change the implementation to stop the services consuming ACME certificates in advance - as they need to be restarted anyways. This way we will free the ports and `certbot` can do his job* Service stop/restart before and after renewal. * Dependency tracking between certificates and consuming services. * Clear error handling and logging. * Stop dependent services in advance of renewal to free bound ports (since they need to restart anyway). * Ensure all ACME certificate consumers automatically reload/restart after a successful renewal. ## Additional Notes This issue was observed by me specifically with HAProxy consuming an ACME-managed certificate. After renewal, the proxy continued serving an outdated certificate until manually restarted.