bug#50423: ‘certbot-configuration-deploy-hook’ is stateful

Mon, 06 Sep 2021 00:54:10 -0700 

Hi,

I use certbot “deploy hooks” like this (excerpt from
‘hydra/bayfront.scm’ in guix/maintenance.git):

--8<---------------cut here---------------start------------->8---
(define %nginx-deploy-hook
  ;; Hook that restarts nginx when a new certificate is deployed.
  (program-file "nginx-deploy-hook"
                #~(let ((pid (call-with-input-file "/var/run/nginx/pid"
                               read)))
                    (kill pid SIGHUP))))

(define %certbot-configuration
  (certbot-configuration
   (webroot "/var/www")
   (email "ludovic.cour...@inria.fr")
   (certificates
    (list (certificate-configuration
           (domains '("bayfront.guix.gnu.org"
                      "logs.guix.gnu.org"
                      "bayfront.guix.info"
                      "hpc.guix.info"
                      "guix-hpc.bordeaux.inria.fr"
                      "coordinator.bayfront.guix.gnu.org"))
           (deploy-hook %nginx-deploy-hook))))))
--8<---------------cut here---------------end--------------->8---

The problem is that cerbot records the deploy hook file name once for
all:

--8<---------------cut here---------------start------------->8---
ludo@bayfront ~$ sudo grep -r ryb6000fbb4lyb4ad294srkj4x8m821w /etc/letsencrypt/
Password:
/etc/letsencrypt/renewal/hpc.guix.info.conf:renew_hook = 
/gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook
/etc/letsencrypt/renewal/guix-hpc.bordeaux.inria.fr.conf:renew_hook = 
/gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook
--8<---------------cut here---------------end--------------->8---

After GC, the certbot config ends up pointing to a non-existing hook:

--8<---------------cut here---------------start------------->8---
ludo@bayfront ~$ sudo certbot renew

[...]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hpc.guix.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for hpc.guix.info
Hook 'deploy-hook' reported error code 127
Hook 'deploy-hook' ran with error output:
 /gnu/store/pwcp239kjf7lnj5i4lkdzcfcxwcfyk72-bash-minimal-5.0.16/bin/sh: 
/gnu/store/ryb6000fbb4lyb4ad294srkj4x8m821w-nginx-deploy-hook: No such file or 
directory
--8<---------------cut here---------------end--------------->8---

Most likely, the only solution would be to populate a fixed directory
name, say /etc/nginx/hooks/deploy, such that certbot configuration
remains valid.

Thoughts?

Ludo’.

Reply via email to