This would fix#839
Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.
However, the previous explorers would take that as the certificate being absent
and would trigger code generation.
The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".
[1]: https://certbot.eff.org/docs/using.html#id5
This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
It has been tested with certbot 0.31.0 and 0.17 that the:
from certbot.main import main
trick works. It is somewhat well documented so it can be somewhat relied upon.
Closes#853, see issue for full description / discussion.
Short summary:
- There was about 6.53% chances of `--renewal-hook` not being applied
- Using --automatic-renewal in one cert and not in another was an error.
- It was not possible to use different hooks for different certificates.
- FreeBSD support was utterly broken.
This commit adds the following features:
* Ability to expand existing certificate
* Ability to manage object state
* Ability to obtain test certificate
* Ability to promote test certificate to production
* Ability to specify custom certificate name
* Ability to specify multiple domains per certificate
* Ability to use Certbot in standalone mode
* Messaging
This commit also introduces the following behavioral changes:
* Attempt to install Certbot only when it is not installed
already
* Installation of the cron job has to be enabled using
`--automatic-renewal` parameter
**Note:** Object ID is now treated as certificate name and new
required parameter `--domain` was added.