dify icon indicating copy to clipboard operation
dify copied to clipboard
Published 2 weeks ago verified publisher icon langgenius

Add docker-compose certbot configurations with backward compatibility

Open k-brahma opened this issue 1 year ago • 4 comments

Checklist:

[!IMPORTANT]
Please review the checklist below before submitting your pull request.

  • [x] Please open an issue before creating a PR or link to an existing issue
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I ran dev/reformat(backend) and cd web && npx lint-staged(frontend) to appease the lint gods

Description

This PR adds docker-compose certbot configurations with backward compatibility. It introduces a new way to easily set up SSL certificates using Certbot while maintaining the existing method of using the nginx/ssl directory for those who prefer it. This change significantly simplifies the SSL setup process for new servers while ensuring that existing setups continue to work without modification.

The main benefits of this change are:

  1. Simplified SSL certificate acquisition and renewal process
  2. Improved security through automated certificate management
  3. Maintained backward compatibility for existing setups

This PR is a follow-up to #6509, addressing the request to implement SSL certificate management using Docker. While #6509 provided a guide for SSL setup using the host OS, this PR introduces a Docker-based solution using Certbot, making the process more streamlined and consistent with the project's containerized architecture.

Related to #6509

Type of Change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [x] This change requires a documentation update, included: Dify Document
  • [x] Improvement, including but not limited to code refactoring, performance optimization, and UI/UX improvement
  • [ ] Dependency upgrade

Testing Instructions

Please follow the detailed test scenarios provided in the PR description. The main test scenarios are:

  • [x] Test A: New feature with certbot container

    • Launch server properly
    • Test certbot certonly command
    • Verify certificate files work correctly
    • Test certbot renew command
    • Verify CERTBOT_OPTIONS functionality

  • [x] Test B: Backward compatibility without certbot container

    • Verify legacy procedure still works with nginx/ssl directory

Detailed steps for each test scenario are provided in the PR description.

Add docker-compose certbot configurations description

Short description

Outline

  • Certbot available with --profile certbot option.
  • Without --profile certbot option you can still use cert files dir nginx/ssl as before.

Now that for newly launching servers SSL setup process is rather easy but still legacy way is effective.

See docker/certbot/README.md for easy setup.

Files editted/added

Document

file detail
README.md Updated, added to the section "What's Updated"
certbot/README.md Added desciption document

docker-compose:

file detail
docker-compse.yaml Updated nginx container settings, added certbot container settings
.env.example Added key-value pairs for certbot container (and consequently for nginx app)

nginx:

file detail
nginx/conf.d/default.conf.template Added acme-challenge location directive placeholder
nginx/https.conf.template Updated, simplified
nginx/docker-entrypoint.sh Updated, calculate ssl_certificate_path and ssl_certificate_key_path inside

certbot:

file detail
certbot/docker-entrypoint.sh added, generates certbot/update-cert.sh
certbot/update-cert.sh.template added, template for certbot/update-cert.sh

update-cert.sh works as certbot certonly for the first time and later as certbot renew.
Personally I think some of certbot command options can be moved to CERTBOT_OPTIONS value but as I'm not sure which to moved would best so now CERTBOT_OPTIONS value is empty.

.env keys

Added keys below:

key default details
NGINX_ENABLE_CERTBOT_CHALLENGE false Set true to accept requests for /.well-known/acme-challenge/
CERTBOT_DOMAIN Domain name when use certbot container
CERTBOT_EMAIL Email address to use on certbot certonly certification
CERTBOT_OPTIONS Additional options for certbot command. i.e., --dry-run
Detailed Test Scenarios (click to expand)

Test scenarios for this update

Overview

This test scenarios assume:

  • Dify app is installed in dir ~/dify/docker cd ~/dify/docker sudo docker-compos

Scenario1: New feature: with certbot container

  1. Test that the server launches properly
  2. Test that certbot certonly command works by running certbot/update-cert.sh
  3. Test that certificate files obtained by the certbot certonly command work correctly
  4. Test that certbot renew command works by running certbot/update-cert.sh
  5. Test that CERTBOT_OPTIONS values are correctly applied to the certbot command

Scenario2: Backward compatibility: without certbot container

  1. Test that legacy procedure works

Details

Scenario1: New feature: with certbot container

Scenario1-1: Test that the server launches properly

Purpose:

  • Check that the server accepts normal http request.

Process overview:

  1. sudo docker-compose up
  2. Check that the server accepts normal http request
  3. sudo docker-compose down

Navigate to the dir ~/dify/docker and launch containers using docker-compose.yaml.

cd ~/dify/docker
sudo docker-compose up

Then check server accesability (http)

http://your_domain.com

Then, docker-comose down

sudo docker-compose down

Scenario1-2: Test that certbot certonly command works by running certbot/update-cert.sh

Purpose:

  • Check that the server accepts requests for /.well-known/acme-challenge/
  • Check that by running certbot/update-cert.sh certbot certonly command works and successfully get cert files.

Process overview:

  1. Set .env values
  2. sudo docker-compose --profile certbot up
  3. sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
  4. Check the results if necessary
  5. sudo docker-compose down

Create a file ~/dify/docker/.env.

cd ~/dify/docker
vim .env

Add the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

NGINX_ENABLE_CERTBOT_CHALLENGE=true
CERTBOT_DOMAIN=your_domain.com
CERTBOT_EMAIL=example@your_domain.com

Launch containers using docker-compose.yaml with option --profile certbot.

sudo docker network prune
sudo docker-compose --profile certbot up --force-recreate

First check that the server is accesabile using http protocol.

http://your_domain.com

Then, via another terminal:

Navigate to ~/dify/docker and check that no cert action excecuted yet.

cd ~/dify/docker
sudo docker-compose exec -it certbot ls /etc/letsencrypt/live/
sudo docker-compose exec -it certbot ls /var/log/letsencrypt/

ls /var/log/letsencrypt/ may return some of letsencrypt.log* files, as for each time certbot container launch, the log file automatically generated.

Excecute command certbot certonly by executing /update-cert.sh

sudo docker-compose exec -it certbot /bin/sh /update-cert.sh

Expected succssful result as follows:

Certificate does not exist. Obtaining a new certificate...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for your_domain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/your_domain.com/privkey.pem
This certificate expires on 2024-10-23.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate operation successful
Please ensure to reload Nginx to apply any certificate changes.

Check certbot logs if necesary:

cat ~/dify/docker/volumes/certbot/logs/letsencrypt.log

Then docker-compose down

sudo docker-compose down

Scenario1-3: Test that certificate files obtained by the certbot certonly command work correctly

Purpose:

  • Check that the server accepts both http and https requests
  • Check that by running certbot/update-cert.sh certbot certonly command works and successfully get cert files.

Process overview:

  1. Set .env values
  2. sudo docker-compose --profile certbot up
  3. Check both http and https reqeuests
  4. sudo docker-compose down

Edit .env file

vim .env

Add the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

# Add (or edit if already exists):
NGINX_HTTPS_ENABLED=true
NGINX_SSL_CERT_FILENAME=fullchain.pem
NGINX_SSL_CERT_KEY_FILENAME=privkey.pem

# Keys below already there:
NGINX_ENABLE_CERTBOT_CHALLENGE=true
CERTBOT_DOMAIN=your_domain.com
CERTBOT_EMAIL=example@your_domain.com

Launch containers using docker-compose.yaml with option --profile certbot.

sudo docker network prune
sudo docker-compose --profile certbot up --force-recreate

Then check server accesability (both http and https)

http://your_domain.com
https://your_domain.com

Then docker-compose down

sudo docker-compose down

Scenario1-4: Test that certbot renew command works by running certbot/update-cert.sh

Purpose:

  • Check that by running certbot/update-cert.sh certbot certonly command works and successfully get cert files.

Memo:
If the certificate already exists, certbot/update-cert.sh executes certbot renew.

Process overview:

  1. Set .env values
  2. sudo docker-compose --profile certbot up
  3. sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
  4. Check that timestamp for cert files DOES NOT changed
  5. sudo docker-compose down

Edit .env file

vim .env

Add the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

# Add (or edit if already exists):
NGINX_CREATE_CERTBOT_CHALLENGE_LOCATION=true

# Keys below already there:
NGINX_HTTPS_ENABLED=true
NGINX_SSL_CERT_FILENAME=fullchain.pem
NGINX_SSL_CERT_KEY_FILENAME=privkey.pem
NGINX_ENABLE_CERTBOT_CHALLENGE=true
CERTBOT_DOMAIN=your_domain.com
CERTBOT_EMAIL=example@your_domain.com

Launch containers using docker-compose.yaml with option --profile certbot.

sudo docker network prune
sudo docker-compose --profile certbot up --force-recreate

Navigate to ~/dify/docker and check current cert files' timestamp:

cd ~/dify/docker
sudo docker-compose exec -it certbot ls -al /etc/letsencrypt/live/your_domain.com/

total 12
drwxr-xr-x    2 root     root          4096 Jul 25 22:06 .
drwxr-xr-x    3 root     root          4096 Jul 25 22:06 ..
-rw-r--r--    1 root     root           692 Jul 25 22:06 README
lrwxrwxrwx    1 root     root            38 Jul 25 22:06 cert.pem -> ../../archive/your_domain.com/cert1.pem
lrwxrwxrwx    1 root     root            39 Jul 25 22:06 chain.pem -> ../../archive/your_domain.com/chain1.pem
lrwxrwxrwx    1 root     root            43 Jul 25 22:06 fullchain.pem -> ../../archive/your_domain.com/fullchain1.pem
lrwxrwxrwx    1 root     root            41 Jul 25 22:06 privkey.pem -> ../../archive/your_domain.com/privkey1.pem

Excecute command certbot renew by executing /update-cert.sh

sudo docker-compose exec -it certbot /bin/sh /update-cert.sh

Expected succssful result as follows (No renewals were attempted as certs a not due for renewal).

Certificate exists. Attempting to renew...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your_domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/your_domain.com/fullchain.pem expires on 2024-10-23 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate operation successful
Please ensure to reload Nginx to apply any certificate changes.

Check that cert files not updated.

cd ~/dify/docker
sudo docker-compose exec -it certbot ls -al /etc/letsencrypt/live/your_domain.com/

total 12
drwxr-xr-x    2 root     root          4096 Jul 25 22:06 .
drwxr-xr-x    3 root     root          4096 Jul 25 22:06 ..
-rw-r--r--    1 root     root           692 Jul 25 22:06 README
lrwxrwxrwx    1 root     root            38 Jul 25 22:06 cert.pem -> ../../archive/your_domain.com/cert1.pem
lrwxrwxrwx    1 root     root            39 Jul 25 22:06 chain.pem -> ../../archive/your_domain.com/chain1.pem
lrwxrwxrwx    1 root     root            43 Jul 25 22:06 fullchain.pem -> ../../archive/your_domain.com/fullchain1.pem
lrwxrwxrwx    1 root     root            41 Jul 25 22:06 privkey.pem -> ../../archive/your_domain.com/privkey1.pem

Check certbot logs if necesary:

cat ~/dify/docker/volumes/certbot/logs/letsencrypt.log

Then docker-compose down

sudo docker-compose down

Scenario1-5: Test that CERTBOT_OPTIONS values are correctly applied to the certbot command

Purpose:

  • Check that CERTBOT_OPTIONS values are correctly applied to the certbot command

Process overview:

  1. Set .env values
  2. sudo docker-compose --profile certbot up
  3. sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
  4. Check that timestamp for cert files DOES changed
  5. sudo docker-compose down

Edit .env file

vim .env

Add the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

# Add (or edit if already exists):
CERTBOT_OPTIONS=--force-renewal

# Keys below already there:
NGINX_CREATE_CERTBOT_CHALLENGE_LOCATION=true
NGINX_HTTPS_ENABLED=true
NGINX_SSL_CERT_FILENAME=fullchain.pem
NGINX_SSL_CERT_KEY_FILENAME=privkey.pem
NGINX_ENABLE_CERTBOT_CHALLENGE=true
CERTBOT_DOMAIN=your_domain.com
CERTBOT_EMAIL=example@your_domain.com

Launch containers using docker-compose.yaml with option --profile certbot.

sudo docker network prune
sudo docker-compose --profile certbot up --force-recreate

Navigate to ~/dify/docker and check current cert files' timestamp:

cd ~/dify/docker
sudo docker-compose exec -it certbot ls -al /etc/letsencrypt/live/your_domain.com/

total 12
drwxr-xr-x    2 root     root          4096 Jul 25 22:06 .
drwxr-xr-x    3 root     root          4096 Jul 25 22:06 ..
-rw-r--r--    1 root     root           692 Jul 25 22:06 README
lrwxrwxrwx    1 root     root            38 Jul 25 22:06 cert.pem -> ../../archive/your_domain.com/cert1.pem
lrwxrwxrwx    1 root     root            39 Jul 25 22:06 chain.pem -> ../../archive/your_domain.com/chain1.pem
lrwxrwxrwx    1 root     root            43 Jul 25 22:06 fullchain.pem -> ../../archive/your_domain.com/fullchain1.pem
lrwxrwxrwx    1 root     root            41 Jul 25 22:06 privkey.pem -> ../../archive/your_domain.com/privkey1.pem

Excecute command certbot renew by executing /update-cert.sh

sudo docker-compose exec -it certbot /bin/sh /update-cert.sh

Expected succssful result as follows (Updated even certs a not due for renewal).

webapp@ccc:~/dify/docker$ sudo docker-compose exec -it certbot /bin/sh /update-cert.sh
Certificate exists. Attempting to renew...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your_domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for your_domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/your_domain.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate operation successful
Please ensure to reload Nginx to apply any certificate changes.

Check that cert files updated.

cd ~/dify/docker
sudo docker-compose exec -it certbot ls -al /etc/letsencrypt/live/your_domain.com/

total 12
drwxr-xr-x    2 root     root          4096 Jul 25 23:01 .
drwxr-xr-x    3 root     root          4096 Jul 25 22:06 ..
-rw-r--r--    1 root     root           692 Jul 25 22:06 README
lrwxrwxrwx    1 root     root            38 Jul 25 23:01 cert.pem -> ../../archive/your_domain.com/cert2.pem
lrwxrwxrwx    1 root     root            39 Jul 25 23:01 chain.pem -> ../../archive/your_domain.com/chain2.pem
lrwxrwxrwx    1 root     root            43 Jul 25 23:01 fullchain.pem -> ../../archive/your_domain.com/fullchain2.pem
lrwxrwxrwx    1 root     root            41 Jul 25 23:01 privkey.pem -> ../../archive/your_domain.com/privkey2.pem

Check certbot logs if necesary:

cat ~/dify/docker/volumes/certbot/logs/letsencrypt.log

Then check renewed cert files effective by:

Reload Nginx

sudo docker-compose exec nginx nginx -s reload

Or restart docker containers

sudo docker-compose down
sudo docker network prune
sudo docker-compose --profile certbot up --force-recreate

Then check server accesability (both http and https)

http://your_domain.com
https://your_domain.com

Then, it is recommended to set CERTBOT_OPTIONS value blank (or delete the key)

vim .env

Edit the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

# Edit
CERTBOT_OPTIONS=""

# Keys below already there:
NGINX_CREATE_CERTBOT_CHALLENGE_LOCATION=true
NGINX_HTTPS_ENABLED=true
NGINX_SSL_CERT_FILENAME=fullchain.pem
NGINX_SSL_CERT_KEY_FILENAME=privkey.pem
NGINX_ENABLE_CERTBOT_CHALLENGE=true
CERTBOT_DOMAIN=your_domain.com
CERTBOT_EMAIL=example@your_domain.com

Then docker-compose down

sudo docker-compose down

Scenario2: Backward compatibility: without certbot container

Memo:
Create a new server. Don't use the server used for the scenario test 1

Scenario2-1. Test that legacy procedure works

Purpose:
Confirm that legacy docker/nginx/ssl storage also works as cert files location.

Process overview:

  1. Get cert files using host os certbot
  2. Copy cert files to docker/nginx/ssl
  3. sudo docker-compose
  4. Check both http and https reqeuests
  5. sudo docker-compose down

Get cert files using host os' certbot

# Update system packages
sudo apt update

# Install Certbot
sudo apt install certbot

# Obtain SSL certificate (standalone mode)
sudo certbot certonly --standalone -d your_domain.com

copy cert files to nginx/ssl/ and set read permission.

sudo ls -al /etc/letsencrypt/live/your_domain.com/

sudo cp -L /etc/letsencrypt/live/your_domain.com/{cert,chain,fullchain,privkey}.pem ~/dify/docker/nginx/ssl/
sudo mv ~/dify/docker/nginx/ssl/fullchain.pem ~/dify/docker/nginx/ssl/dify.crt
sudo mv ~/dify/docker/nginx/ssl/privkey.pem ~/dify/docker/nginx/ssl/dify.key

sudo chmod +r ~/dify/docker/nginx/ssl/*

ls -al ~/dify/docker/nginx/ssl/

Then you'll find that dify.crt and dify.key exists in the dirdocker/nginx/ssl/.

total 24
drwxrwxr-x 2 webapp webapp 4096 Jul 25 23:34 .
drwxrwxr-x 4 webapp webapp 4096 Jul 24 16:48 ..
-rw-rw-r-- 1 webapp webapp    0 Jul 24 09:45 .gitkeep
-rw-r--r-- 1 root   root   1273 Jul 25 23:34 cert.pem
-rw-r--r-- 1 root   root   1566 Jul 25 23:34 chain.pem
-rw-r--r-- 1 root   root   2839 Jul 25 23:34 dify.crt
-rw-r--r-- 1 root   root    241 Jul 25 23:34 dify.key

Create a file ~/dify/docker/.env.

cd ~/dify/docker
vim .env

Add the line below and save the file.
(Or if you already copied .env.example to .env, edit the key below)

# Add (or edit if already exists):
NGINX_HTTPS_ENABLED=true

Navigate to the dir ~/dify/docker and launch containers using docker-compose.yaml.

cd ~/dify/docker
sudo docker-compose up

Then check server accesability (both http and https)

http://your_domain.com
https://your_domain.com

Then docker-compose down

sudo docker-compose down

k-brahma avatar Jul 26 '24 04:07 k-brahma

@takatost @laipz8200 Please take a look at this one. :)

crazywoola avatar Jul 26 '24 05:07 crazywoola

Please.fix the lint errors in this PR.

crazywoola avatar Jul 26 '24 05:07 crazywoola

Thank you for your review.

I understand the linter cited two issues.

I'm considering the following approach but please advise me if there's other preferable way to make it.

  • Rename docker/certbot/update-cert.sh.template to docker/certbot/update-cert.template
  • In docker/certbot/docker-entrypoint.sh, remove the last line: echo "\nExecuting command:" "$@"

I'll fix them by tomorrow. I appreciate your patience.

k-brahma avatar Jul 26 '24 23:07 k-brahma

Thank you for your review.

I understand the linter cited two issues.

I'm considering the following approach but please advise me if there's other preferable way to make it.

  • Rename docker/certbot/update-cert.sh.template to docker/certbot/update-cert.template

  • In docker/certbot/docker-entrypoint.sh, remove the last line: echo "\nExecuting command:" "$@"

I'll fix them by tomorrow.

I appreciate your patience.

Hi @guchenhe, could you please provide some advice?

takatost avatar Jul 27 '24 01:07 takatost

I think I could make it.

  • Rename docker/certbot/update-cert.sh.template to docker/certbot/update-cert.template
  • In docker/certbot/docker-entrypoint.sh, NOT remove the last line: echo "\nExecuting command:" "$@" but change echo comnad to printf.

Now I'm testing the whole process so please wait for a while.

k-brahma avatar Jul 28 '24 16:07 k-brahma

I think I've fixed the linter issues.

I also re-wrote scenario test procedures in PR doc. Which now includes test for migrations from legacy to new configrations.

  1. use main branch until https connection enables
  2. checkout to this branch
  3. check https connections still effective

See section below:

Scenario2: Backward compatibility: without certbot container

  1. Test main branch procedure works
  2. Test that legacy procedure works

k-brahma avatar Jul 29 '24 00:07 k-brahma

Thank you for your review. I understand the linter cited two issues. I'm considering the following approach but please advise me if there's other preferable way to make it.

  • Rename docker/certbot/update-cert.sh.template to docker/certbot/update-cert.template
  • In docker/certbot/docker-entrypoint.sh, remove the last line: echo "\nExecuting command:" "$@"

I'll fix them by tomorrow. I appreciate your patience.

Hi @guchenhe, could you please provide some advice?

LGTM! @k-brahma thank you for the PR

guchenhe avatar Jul 29 '24 15:07 guchenhe

Hi @guchenhe, I noticed that after you merged my PR, a SuperLinter error appeared in the log: "Error: File:[/github/workspace/docker/certbot/update-cert.template] is not executable" (line 342).

In my PR, I intentionally set this file to be readable but not executable, as it's a template file and not meant to be executed directly. What's curious to me is that when I pushed my changes, no error was raised, but now it seems to be an issue. :(

In any case, to resolve this error, I can think of three possible solutions:

  1. Modify the SuperLinter YAML settings to grant execute permission to SuperLinter during execution.
  2. Adjust the SuperLinter YAML settings to exclude this specific file from syntax checking.
  3. Simply set the execute permission on the template file (though this may not be ideal given its purpose).

There might be other solutions I haven't considered as well. If you prefer options 1 or 2, please let me know which file I should modify, and I'll make the changes. However, I'm open to any other suggestions you may have. Let me know what you think is the best approach. I'm happy to make any necessary changes to resolve this issue. Thanks for your guidance,

k-brahma avatar Jul 30 '24 02:07 k-brahma

Hi @guchenhe, I noticed that after you merged my PR, a SuperLinter error appeared in the log: "Error: File:[/github/workspace/docker/certbot/update-cert.template] is not executable" (line 342).

In my PR, I intentionally set this file to be readable but not executable, as it's a template file and not meant to be executed directly. What's curious to me is that when I pushed my changes, no error was raised, but now it seems to be an issue. :(

In any case, to resolve this error, I can think of three possible solutions:

  1. Modify the SuperLinter YAML settings to grant execute permission to SuperLinter during execution.
  2. Adjust the SuperLinter YAML settings to exclude this specific file from syntax checking.
  3. Simply set the execute permission on the template file (though this may not be ideal given its purpose).

There might be other solutions I haven't considered as well. If you prefer options 1 or 2, please let me know which file I should modify, and I'll make the changes. However, I'm open to any other suggestions you may have. Let me know what you think is the best approach. I'm happy to make any necessary changes to resolve this issue. Thanks for your guidance,

Hi @k-brahma, your PR happens to touch on the infra and deployment setup - super-linter is another suite of format checks only ran in GitHub actions, and is different from the local linting checks ran for frontend and backend code. my guess is that super-linter classified the .template file as an executable given the shebang header in the file. I think adding an additional .txt suffix might be a better way to resolve this. Would you be open to making the change?

guchenhe avatar Jul 30 '24 07:07 guchenhe

Hi @guchenhe ,thank you for reply.

So first I'll try to fix the error by changing file name. Then if it's not enough I'll try to chnage "update-cert.sh" generationg flow. That is, first remove shebang string in update-cert.template and prepend the line when generating the .sh file.

regards

k-brahma avatar Jul 30 '24 08:07 k-brahma

Hi @guchenhe ,thank you for reply.

So first I'll try to fix the error by changing file name. Then if it's not enough I'll try to chnage "update-cert.sh" generationg flow. That is, first remove shebang string in update-cert.template and prepend the line when generating the .sh file.

regards

Renamed "update-cert.template" to "update-cert.template.txt" and the branch is now waiting for GitHub actions check result...

k-brahma avatar Jul 30 '24 11:07 k-brahma

Hi @guchenhe san,

https://github.com/langgenius/dify/actions/runs/10161350824/job/28133322124?pr=6702

BASH_EXEC 2024-07-31 00:26:27 [INFO] Linting BASH_EXEC items... Error: -31 00:26:27 [ERROR] Found errors when linting BASH_EXEC. Exit code: 1. 2024-07-31 00:26:27 [INFO] Command output for BASH_EXEC:

Error: File:[/github/workspace/docker/certbot/update-cert.template.txt] is not executable

It looks like even .txt extension couldn't suffer from the error. I'll try to remove shebang from the .txt and prepend it when creating the .sh file.

k-brahma avatar Jul 31 '24 02:07 k-brahma

@guchenhe san,

I set execute permission for update-cert.template.txt, as it's rather clear for humans to understand than adding shebang when creating update-cert.sh.

regards,

k-brahma avatar Jul 31 '24 02:07 k-brahma

@guchenhe san,

I set execute permission for update-cert.template.txt, as it's rather clear for humans to understand than adding shebang when creating update-cert.sh.

regards,

I see, this makes sense too. I've gone ahead and merged. If you are on Discord, feel free to add me for direct comms in the future! My handle is guchenhe. Thanks so much for the code!

guchenhe avatar Jul 31 '24 05:07 guchenhe