[__letscrypt_cert] Hooks are wrongly implemented #13

New issue

Closed

opened 2021-11-20 11:24:47 +00:00 by ungleich-gitea · 8 comments

ungleich-gitea commented 2021-11-20 11:24:47 +00:00

Owner

Copy link

Tangentially related to: !974 and !873

Fixing this would also fix ungleich-public/cdist-contrib#2

Description of the issues

I detected a renewal hook did not run, even though the cert itself did get renewed, upon inspection I see:

# cat /etc/cron.d/certbot  | grep -v '^#'
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

# crontab -l | grep certb
47 0 * * * /usr/bin/certbot renew -q  --renew-hook "service nginx reload" # __cron/letsencrypt-certbot

Race condition due to two renewal jobs

So there is a bit of a race condition: on the /etc/cron.d/certbot entry, there is a random sleep of anything between 0 to 12h, if that happens to be less than 47 minutes (about 6.53% chances), that job will renew the certificate but not apply the hook as expected.

Misleading expectation of per-certificate hook

__letsencrypt_cert example.com \
    --admin-email root@example.com \
    --automatic-renewal \
    --renew-hook "service nginx reload" \
    --webroot /data/letsencrypt/root

__letsencrypt_cert smtp.example.com \
    --admin-email root@example.com \
    --automatic-renewal \
    --renew-hook "service postfix reload" \
    --webroot /data/letsencrypt/root

I would expect this to:

1. Work
2. Apply the different hooks to each certificate

Instead (not tested) this execution would fail due to discordant arguments for the __cron/letsencrypt-certbot object.

Conclusion

!974 and !873 are not sufficient to fix these issues, we should instead rely on per-realm/certificate configuration, using following.

I intend to implement this with a clear migration path for current installations rendering those MRs redundant by:

Using:
https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks

1. Deprecating --renew-hook, having it work as an alias for --deploy-hook (see below).
2. Adding optional arguments: --deploy-hook, --pre-hook, --post-hook
3. These would create a ${ETC_DIR}/letsencrypt/renewal-hooks/{deploy,pre,post}/${__object_id}.cdist.sh script with the proper permissions.
   And contents similar to:

#!/bin/sh -e

if echo "${CERTBOT_ALL_DOMAINS}" | tr ',' '\n' | grep "^${__object_id}$"; then
    ${HOOK_STRING_CONTENTS}
fi

Tangentially related to: !974 and !873 Fixing this would also fix ungleich-public/cdist-contrib#2 # Description of the issues I detected a renewal hook did not run, even though the cert itself did get renewed, upon inspection I see: ``` # cat /etc/cron.d/certbot | grep -v '^#' SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew # crontab -l | grep certb 47 0 * * * /usr/bin/certbot renew -q --renew-hook "service nginx reload" # __cron/letsencrypt-certbot ``` ## Race condition due to two renewal jobs So there is a bit of a race condition: on the `/etc/cron.d/certbot` entry, there is a random sleep of anything between 0 to 12h, if that happens to be less than 47 minutes (about 6.53% chances), that job will renew the certificate but not apply the hook as expected. ## Misleading expectation of per-certificate hook ``` __letsencrypt_cert example.com \ --admin-email root@example.com \ --automatic-renewal \ --renew-hook "service nginx reload" \ --webroot /data/letsencrypt/root __letsencrypt_cert smtp.example.com \ --admin-email root@example.com \ --automatic-renewal \ --renew-hook "service postfix reload" \ --webroot /data/letsencrypt/root ``` I would expect this to: 1. Work 2. Apply the different hooks to each certificate Instead (not tested) this execution would fail due to discordant arguments for the `__cron/letsencrypt-certbot` object. # Conclusion !974 and !873 are not sufficient to fix these issues, we should instead rely on per-realm/certificate configuration, using following. I intend to implement this with a clear migration path for current installations rendering those MRs redundant by: Using: https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks 1. Deprecating `--renew-hook`, having it work as an alias for `--deploy-hook` (see below). 2. Adding `optional` arguments: `--deploy-hook`, `--pre-hook`, `--post-hook` 3. These would create a `${ETC_DIR}/letsencrypt/renewal-hooks/{deploy,pre,post}/${__object_id}.cdist.sh` script with the proper permissions. And contents similar to: ``` #!/bin/sh -e if echo "${CERTBOT_ALL_DOMAINS}" | tr ',' '\n' | grep "^${__object_id}$"; then ${HOOK_STRING_CONTENTS} fi ```

evilham was assigned by ungleich-gitea 2021-11-20 11:24:47 +00:00

ungleich-gitea closed this issue 2021-11-20 11:24:48 +00:00

ungleich-gitea commented 2021-11-20 15:25:32 +00:00

Author

Owner

Copy link

mentioned in issue cdist-contrib#2

mentioned in issue cdist-contrib#2

ungleich-gitea commented 2021-11-20 15:25:34 +00:00

Author

Owner

Copy link

mentioned in commit b3a9c907ad

mentioned in commit b3a9c907ad3811676e75145e8678a55b8bbf41d3

ungleich-gitea commented 2021-11-20 15:25:35 +00:00

Author

Owner

Copy link

mentioned in merge request !977

mentioned in merge request !977

ungleich-gitea commented 2021-11-20 15:25:37 +00:00

Author

Owner

Copy link

mentioned in commit bc145bbc27

mentioned in commit bc145bbc27a45e382adb744e6774fb803f4fda0a

ungleich-gitea commented 2021-11-20 15:25:38 +00:00

Author

Owner

Copy link

I also propose deprecating --automatic-renewals, it makes no sense and is a maintenance nightmare. If an OS needs it (like Alpine and, from what I can tell Arch), we can enable autorenewal system-wide, which is what was happening now anyway.

I also propose deprecating `--automatic-renewals`, it makes no sense and is a maintenance nightmare. If an OS needs it (like Alpine and, from what I can tell Arch), we can enable autorenewal system-wide, which is what was happening now anyway.

ungleich-gitea commented 2021-11-20 15:25:39 +00:00

Author

Owner

Copy link

I don't have much experience with Alpine, can someone confirm that it does not have an in-distro mechanism for automatic renewals?

I don't have much experience with Alpine, can someone confirm that it does not have an in-distro mechanism for automatic renewals?

ungleich-gitea commented 2021-11-20 15:25:41 +00:00

Author

Owner

Copy link

Sounds like the proper solution to me. We can even deprecate --renew-hook and remove it in the next version change of cdist.

Sounds like the proper solution to me. We can even deprecate --renew-hook and remove it in the next version change of cdist.

ungleich-gitea commented 2021-11-20 15:25:42 +00:00

Author

Owner

Copy link

@nico / @ander / @steven at your scale you have probably hit this, does the proposal sound good? Should I work on it?

@nico / @ander / @steven at your scale you have probably hit this, does the proposal sound good? Should I work on it?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

7.0

6.9

py3.10

ander/__package_apt_update_index

haproxy-dualstack

ander/__sed

beta

ander/os_version_debian_sid

evilham-compatibility-fixes

ander/__rsync

__snakeoil_cert

ander/update_readme

__download_improvements

feature/onchange

cleanup/string-formatting

feature/type-relationship-graph

cleanup/ssh-auth-keys-types

__letsencrypt_cert-fix-hooks

bugfix/preos-debug

bugfix/in-script-import

6.8

bugfix/sphinx-docs-build

6.7

cherry-pick-2f433a14

bugfix/make-code-consistent

6.6

regain-py3.2-support

6.5

bugfix/multiple-log-lines

matterbridge

coturn

alpinefix

matrix

new-type/network-interface

feature/process

6.4

feature/info-command

feature/libexec

6.3

preos-plugins-dir-opt

gitlab-ci

6.2

order-dep-fix

6.1

6.0

build/support-pip-from-git

feature/shell-lib

5.1

feature/support-type-deprecation

5.0

feature/python-types

4.11

4.10

shellcheck

4.9

4.8

freebsd-improvements

new-prometheus

key_value-onchange

feature/output_streams

AnotherKamila-patch-1

__letsencrypt_cert-fixes

letsencrypt-cron-fix

4.7

newtype-__letsencrypt_cert

os_explorer_devuan_fix

prometheus-exporter-fixes

daemontools-for-fbsd

type-prometheus-exporter-from-master

prometheus-more-fixes

4.6

4.5

fix-j

steven-backport

4.4

prometheus-fixes

grafana_dashboard

prometheus

daemontools

consul_improvements

feature/trigger

4.3

4.0-pre-not-stable

4.2

4.1

4.0

feature_install_and_preos

3.1

no-dot-cdist

random_dot_cdist

feature_yum_url

feature_files_export

3.0

2.3

2.2

2.1

ssh_callback

2.0

archive_shell_function_approach

1.7

1.6

1.5

1.4

1.3

1.2

1.1

1.0

7.0.0

6.9.8

6.9.7

6.9.6

6.9.5

6.9.4

6.9.3

6.9.2

6.9.1

6.9.0

6.8.0

6.7.0

6.6.0

6.5.6

6.5.5

6.5.4

6.5.3

6.5.2

6.5.1

6.5.0

6.4.0

6.3.0

6.2.0

6.1.1

6.1.0

6.0.4

6.0.3

6.0.2

6.0.1

6.0.0

5.1.3

5.1.2

5.1.1

5.1.0

5.0.2

5.0.1

5.0.0

4.11.1

4.11.0

4.10.11

4.10.10

4.10.9

4.10.8

4.10.7

4.10.6

4.10.5

4.10.4

4.10.3

4.10.2

4.10.1

4.10.0

4.9.1

4.9.0

4.8.4

4.8.3

4.8.2

4.8.1

4.8.0

4.7.3

4.7.2

4.7.1

4.7.0

4.6.1

4.6.0

4.5.0

4.4.4

4.4.3

4.4.2

4.4.1

4.4.0

4.3.2

4.3.1

4.3.0

4.2.2

4.2.1

4.2.0

4.1.0

4.0.0

3.1.13

tn1

3.1.12

3.1.11

3.1.10

3.1.9

3.1.8

3.1.7

3.1.6

4.0.0pre3

3.1.5

3.1.4

3.1.3

3.1.2

3.1.1

3.1.0

4.0.0pre2

3.0.9

3.0.8

3.0.7

3.0.6

3.0.5

3.0.4

3.0.3

4.0.0pre1

3.0.2

3.0.1

3.0.0

2.3.7

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.2.0

2.1.2

2.1.1

2.1.0

2.1.0pre8

2.1.0pre7

2.1.0pre6

2.0.15

2.1.0pre5

2.1.0pre4

2.1.0pre3

2.1.0pre2

2.1.0pre1

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.0

1.4.1

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

0.9.9

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

Labels

Clear labels   

bugfix

  

cleanup

  

discussion

  

documentation

  

doing

  

done

  

feature

  

improvement

  

packaging

  

Stale

  

testing

  

TODO

No labels

bugfix

cleanup

discussion

documentation

doing

done

feature

improvement

packaging

Stale

testing

TODO

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

evilham

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: ungleich-public/cdist#13

No description provided.