ansible-playbook
ansible-playbook copied to clipboard
plone
Certbot support using certbot nginx plugin
With that one new suggestion, I'm OK with merging this. Maybe someone else has an older cert they can test for renewal?
Well, the automatic renewal did not work on my system:
2020-05-12 06:26:19,263:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2020-05-12 06:26:19,263:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
Is there something I should check?
$ sudo cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Try running /usr/bin/certbot renew manually and see what error it gives you.
I don't understand what that cron job does. This is what I have:
@monthly /usr/bin/certbot renew --post-hook "service nginx restart"
I expect the manual invocation of /usr/bin/certbot renew to work. I haven't tried it.
Maybe we should change the cronjob that python3-certbot-nginx creates to your version?
I wonder if there's any chance that stevepiercy has a combination of the nginx and standalone versions of certbot installed on a test machine. The "failed to bind" error would indicate that certbot tried to use its standalone web server without knowledge of the nginx install.
Yes, I did install standalone originally on this machine.
I think that --nginx must be included in the cronjob command. That cronjob comes from the package python3-certbot-nginx, right? If so, what would be the best option to resolve the issue?
I found that this probably depends on the [renewalparams] / authenticator value in the /etc/letsencrypt/renewal/yourdomain.conf file. In my case, authenticator = nginx, and also installer = nginx, which was probably set when I first ran certbot (which was manual, not via ansible). But yeah, the first time it needs to be run with --nginx.
Aye, there she is!
authenticator = standalone
The next time I deploy another Plone instance (which could be next week) I will check my /etc/letsencrypt/renewal/<site>.conf. Has anyone else done a clean install with this branch, and can check theirs? I think this bit was the only thing holding up the merge of this PR.
Some bad news: the nginx certbot plugin is not working with Ubuntu 20.04 (focal). Looks like the bug's been reported and is fixable, but we'll want to wait for that fix before considering this as supported on Focal. https://github.com/certbot/certbot/issues/7951
@smcmahon ping. Would you please rebase on master, merge HISTORY.txt, and push?
