[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Letsencrypt-devel] Certbot in Debian Stretch

On 11/30/2016 10:12 PM, Peter Eckersley wrote:
> On Wed, Nov 30, 2016 at 04:19:40PM +0100, Christian Seiler wrote:
>> On 11/30/2016 02:33 PM, Virgo Pärna wrote:
>>> On Fri, 25 Nov 2016 15:41:45 +0100, Christian Seiler <christian@iwakd.de> wrote:
>>>>
>>>> is not an issue (it works fine), but I had modified the cron job to
>>>> pass --renew-hook and --post-hook to certbot. (As far as I can tell,
>>>> there's no way of setting these in a configuration file.) The only
>>>
>>> 	I think that /etc/letsencrypt/cli.ini is supposed to work for it.
>>
>> As far as I am aware this is non-standard, and all examples with
>> that file name I could find would do
>>
>> certbot --config /etc/letsencrypt/cli.ini
>>
>> However, certbot --help paths clearly states that --config has no
>> default value, so by default certbot does not read that file, and
>> strace confirms it. Actually, the only files read in by certbot
>> in /etc/letsencrypt are /etc/letsencrypt/renewal/$certname.conf
>> and /etc/letsencrypt/archive/$certname/cert$N.pem.
> 
> The help is wrong there; that's an instance of this bug:
> 
> https://github.com/certbot/certbot/issues/3734
> https://bugs.python.org/issue28742
> 
> I'm adding the --config flag you noticed as another case of that bug.

Ah, and I ran my strace earlier with -e open,access, but after
rechecking it, it does in fact check for the file's existence
via stat(). I should remember to use -e open,access,stat when
checking for file access with strace. [1]

And I just checked, putting post-hook = ... in there actually
seems to work (renew -vvv says it won't run the post hook
because nothing is to be renewed, but it won't print that
message if I comment the line out). I do think you could also
improve the documentation for the 'renew' command to mention
that these hooks can be put in the central configuration file,
and to recommend to people to do that instead of supplying
them on the command line - that way people won't have the idea
of modifying the cron job / systemd service for this kind of
thing.

I've now created /etc/letsencrypt/cli.ini and removed my
drop-in that modifies the systemd service. Thanks, this thread
has already helped me make my setup saner. :)

Regards,
Christian

[1] Probably should add openat,fstatat,faccessat to the list
    as well.
Reply to: