Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-812

letsencrypt cert renewals should reload apache

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: www
    • Labels:
      None
    • Similar Issues:

      Description

      It turns out if the certificates change on disk, Apache isn't being "reload"ed to receive the updates. So even if we have a renewed certificate, it won't show up in Apache until a reload

        Attachments

          Issue Links

            Activity

            Hide
            rtyler R. Tyler Croy added a comment -

            The change that I pushed through in #536 doesn't seem to actually work when it comes right down to it with a real certificate:

            /opt/letsencrypt/letsencrypt-auto renew --renew-hook="service apache2 reload"
            Updating letsencrypt and virtual environment dependencies.......
            Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-hook=service apache2 reload
            2016-07-17 16:50:38,208:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
            
            -------------------------------------------------------------------------------
            Processing /etc/letsencrypt/renewal/ci.jenkins.io.conf
            -------------------------------------------------------------------------------
            2016-07-17 16:50:38,210:WARNING:certbot.renewal:renewal config file {} is missing a required file reference
            2016-07-17 16:50:38,210:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/ci.jenkins.io.conf is broken. Skipping.
            
            -------------------------------------------------------------------------------
            Processing /etc/letsencrypt/renewal/ci.jenkins.io-0001.conf
            -------------------------------------------------------------------------------
            
            -------------------------------------------------------------------------------
            new certificate deployed without reload, fullchain is
            /etc/letsencrypt/live/ci.jenkins.io-0001/fullchain.pem
            -------------------------------------------------------------------------------
            
            Congratulations, all renewals succeeded. The following certs have been renewed:
              /etc/letsencrypt/live/ci.jenkins.io-0001/fullchain.pem (success)
            
            Additionally, the following renewal configuration files were invalid: 
              /etc/letsencrypt/renewal/ci.jenkins.io.conf (parsefail)
            0 renew failure(s), 1 parse failure(s)
            

            Guess there's config files which the --help text didn't mention for renewing with this subcommand.

            Show
            rtyler R. Tyler Croy added a comment - The change that I pushed through in #536 doesn't seem to actually work when it comes right down to it with a real certificate: /opt/letsencrypt/letsencrypt-auto renew --renew-hook= "service apache2 reload" Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-hook=service apache2 reload 2016-07-17 16:50:38,208:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/ci.jenkins.io.conf ------------------------------------------------------------------------------- 2016-07-17 16:50:38,210:WARNING:certbot.renewal:renewal config file {} is missing a required file reference 2016-07-17 16:50:38,210:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/ci.jenkins.io.conf is broken. Skipping. ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/ci.jenkins.io-0001.conf ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/ci.jenkins.io-0001/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/ci.jenkins.io-0001/fullchain.pem (success) Additionally, the following renewal configuration files were invalid: /etc/letsencrypt/renewal/ci.jenkins.io.conf (parsefail) 0 renew failure(s), 1 parse failure(s) Guess there's config files which the --help text didn't mention for renewing with this subcommand.
            Hide
            rtyler R. Tyler Croy added a comment -

            I believe I fixed this with this change but haven't yet had a chance to verify

            Show
            rtyler R. Tyler Croy added a comment - I believe I fixed this with this change but haven't yet had a chance to verify
            Hide
            rtyler R. Tyler Croy added a comment -

            prettysure this is working as expected

            Show
            rtyler R. Tyler Croy added a comment - prettysure this is working as expected

              People

              Assignee:
              rtyler R. Tyler Croy
              Reporter:
              rtyler R. Tyler Croy
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: