Certbot instead acme-tiny?

strarsis · March 11, 2017, 1:05am

Why is acme-tiny used by trellis instead the official certboot tool?
certbot also supports webroot mode for being used with nginx.

swalkinshaw · March 11, 2017, 4:32am

I don’t think certbot existed when we first implemented this feature.

Ansible also has an official module we could use. I’d be open to anything that simplifies the LE feature though.

strarsis · March 14, 2017, 12:49am

There is also a certbot plugin for nginx (https://certbot.eff.org/docs/using.html#nginx), but like the ansible letsencrypt module, both are still in alpha/preview.
The certbot nginx plugin would be a “perfect” solution - but it doesn’t seem to be production-ready yet.

bjn · July 20, 2017, 6:32pm

Hopefully it’s time to revisit this by now.

I just had a site go down because acme-tiny failed on me. It seems the agreement PDF URL had changed and so the renewal script was failing, but the error output of this cron job wasn’t being sent to me.

I also then didn’t get emailed by Let’s Encrypt to tell me the certificate was going to expire, because acme-tiny doesn’t support sending contact details at registration time (and the author doesn’t want to add this feature).

bjn · July 20, 2017, 7:33pm

Some details I just sent to a dev group I’m part of, which I think may help others, so I’ll reproduce it here:

I just had a Trellis site go down because its Let’s Encrypt cert didn’t renew. Angry customer. It turns out the LE client they use (GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let's Encrypt) fails if the LE licence agreement PDF URL changes, which it did, and the cron job Trellis sets up for LE doesn’t actually email you any error output, so I had no idea. On top of that, acme-tiny doesn’t support sending an email address along with a cert issue request, so LE itself doesn’t email me if the cert is nearing expiration.

Steps I took:
Patch acme-tiny (see my branch at https://github.com/tremby/acme-tiny/tree/add-contact-option which is based on someone else’s PR https://github.com/diafygi/acme-tiny/pull/153 which rightly hasn’t been accepted yet because it has a syntax error) to allow an email address to be set

Configure the letsencrypt ansible role to use this version, which involves setting acme_tiny_repo and acme_tiny_commit to point to my commit in roles/letsencrypt/defaults/main.yml

Configure it to send to my email address, which means adding a letsencrypt_contact key with my email address to the same file roles/letsencrypt/defaults/main.yml, and then patching roles/letsencrypt/templates/renew-certs.py to add --contact {{ letsencrypt_contact }} to the list of options passed to acme-tiny
Patch roles/letsencrypt/tasks/main.yml to add a new task to add the mail destination to the cron job. That looks like a new task in there like this:
- name: Add email destination to key generation cronjob
  cronvar:
    name: MAILTO
    value: me@example.com
    cron_file: letsencrypt-certificate-renewal
Delete current certs and rerun the letsencrypt role by following instructions here https://discourse.roots.io/t/update-lets-encrypt-certificates/7982/2

swalkinshaw · July 20, 2017, 9:31pm

Thanks for all the details.

I’m a little confused about the PDF agreement URL. It seems like it last changed in August 2016. Is that still the case?

Beyond setting an email, it seems like there’s another proper fix too: https://github.com/diafygi/acme-tiny/issues/135

strarsis · July 27, 2017, 11:40am

So I had a similar certificate expire issue and I found out that in the cronfile for calling the renewal script, the days field value is still uninterpolated ansible variable!

#Ansible: letsencrypt certificate renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
    day: "{{ letsencrypt_cronjob_daysofmonth }}"

swalkinshaw · July 27, 2017, 5:38pm

what O_O

What’s weird is the day is correctly added

letsencrypt_cronjob_daysofmonth: 1,11,21

Check the contents again:

30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
    day: "{{ letsencrypt_cronjob_daysofmonth }}"

and 1,11,21 appears correct.

Might be an Ansible bug that is then appending the day to the end of job?

strarsis · July 27, 2017, 5:40pm

How can I test this cronjob (script) directly and find out whether this extra line prevents proper execution?

swalkinshaw · July 27, 2017, 5:50pm

Not really sure. Maybe run-parts /etc/cron.daily

Ref: https://unix.stackexchange.com/questions/42715/how-can-i-make-cron-run-a-job-right-now-for-testing-debugging-without-changing

I’m surprised that’s even a valid cron file. Maybe if you run crontab path/to/crontab/file it might show errors.

bjn · July 29, 2017, 10:17pm

I’m a little confused about the PDF agreement URL. It seems like it last changed in August 2016. Is that still the case?

The error I was getting when I tried to manually run the cron script was definitely to do with that. I think it’s possible that before this expiry I had simply reprovisioned the servers at least once every three months and so by coincidence I never saw a certificate expire.

Beyond setting an email, it seems like there’s another proper fix too

A proper fix to that issue, which has not yet been merged, but in my opinion getting the warning email from Let’s Encrypt is absolutely vital.

swalkinshaw · July 29, 2017, 10:29pm

I agree Using another method would probably be better. Ansible even has an official module now: http://docs.ansible.com/ansible/latest/letsencrypt_module.html

However, this isn’t on our current list of priorities.