Details

Reviewers

Maniphest Tasks

Commits

rOPSe01ae4056a97: Provide a Let's encrypt unit
rOPS0e59fb219609: Provide a Let's encrypt unit

Summary

Our current goal is to provide an unit to use Let's encrypt certificates
everywhere. For that we create a new letsencrypt unit in the core role.

This change focus to cleanup the repository and consolidate Let's encrypt
artefacts in one place.

We first integrate to this unit the renew service prepared at cd39c567ec4f
after a little cleanup (oneshot mode, use the default service name for timer).
We then move the software requirement here too.

The certbot name is enforced.

Test Plan

assert Salt checks for the certbot package
test the service on Eglide

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dereckson created this revision.Apr 27 2017, 14:39

First run note a service failure as renewal script failed with the typo:

----------
          ID: letsencrypt_renew_running
    Function: service.running
        Name: letsencrypt-renew
      Result: False
     Comment: Failed to start the service
     Started: 14:39:50.216620
    Duration: 453.555 ms
     Changes:   
              ----------
              letsencrypt-renew:
                  False

Eglide

$ systemctl status letsencrypt-renew
● letsencrypt-renew.service - Renew Let's encrypt certificates.
   Loaded: loaded (/etc/systemd/system/letsencrypt-renew.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-04-27 14:39:50 UTC; 1min 53s ago
  Process: 7155 ExecStart=/usr/local/sbin/letsencrypt-renewal (code=exited, status=127)
 Main PID: 7155 (code=exited, status=127)

Apr 27 14:39:50 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:39:50 eglide.org letsencrypt-renewal[7155]: /usr/local/sbin/letsencrypt-renewal: 31: /usr/local/sbin/letsencrypt-renewal: cerbot: not found
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Main process exited, code=exited, status=127/n/a
Apr 27 14:39:50 eglide.org systemd[1]: Failed to start Renew Let's encrypt certificates..
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Unit entered failed state.
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Failed with result 'exit-code'.

roles/core/letsencrypt/files/letsencrypt-renewal.sh
31	certbot

Fix certbot typo

Don't try to get a service running if it's a oneshot

Both the service and the salt state works on Eglide:

Salt master

$ salt eglide state.apply roles/core/letsencrypt
eglide:
----------
          ID: letsencrypt_software
    Function: pkg.installed
        Name: certbot
      Result: True
     Comment: Package certbot is already installed
     Started: 14:51:50.340686
    Duration: 3256.491 ms
     Changes:   
----------
          ID: /usr/local/sbin/letsencrypt-renewal
    Function: file.managed
      Result: True
     Comment: File /usr/local/sbin/letsencrypt-renewal is in the correct state
     Started: 14:51:53.610020
    Duration: 568.16 ms
     Changes:   
----------
          ID: letsencrypt_renew_unit
    Function: file.managed
        Name: /etc/systemd/system/letsencrypt-renew.service
      Result: True
     Comment: File /etc/systemd/system/letsencrypt-renew.service is in the correct state
     Started: 14:51:54.179294
    Duration: 498.446 ms
     Changes:   
----------
          ID: letsencrypt_renew_unit
    Function: module.run
        Name: service.force_reload
      Result: True
     Comment: State was not run because none of the onchanges reqs changed
     Changes:   
----------
          ID: letsencrypt_renew_enable
    Function: service.enabled
        Name: letsencrypt-renew
      Result: True
     Comment: Service letsencrypt-renew is already enabled, and is in the desired state
     Started: 14:51:54.687717
    Duration: 179.121 ms
     Changes:   

Summary for eglide
------------
Succeeded: 5
Failed:    0
------------
Total states run:     5
Total run time:   4.502 s

Eglide

$ systemctl status letsencrypt-renew
● letsencrypt-renew.service - Renew Let's encrypt certificates.
   Loaded: loaded (/etc/systemd/system/letsencrypt-renew.service; static; vendor preset: enabled)
   Active: inactive (dead)

Apr 27 14:43:41 eglide.org letsencrypt-renewal[7256]: No renewals were attempted.
Apr 27 14:43:41 eglide.org systemd[1]: Started Renew Let's encrypt certificates..
Apr 27 14:45:06 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:45:11 eglide.org letsencrypt-renewal[7346]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Apr 27 14:45:11 eglide.org letsencrypt-renewal[7346]: No renewals were attempted.
Apr 27 14:45:12 eglide.org systemd[1]: Started Renew Let's encrypt certificates..
Apr 27 14:45:39 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:45:45 eglide.org letsencrypt-renewal[7393]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Apr 27 14:45:45 eglide.org letsencrypt-renewal[7393]: No renewals were attempted.
Apr 27 14:45:45 eglide.org systemd[1]: Started Renew Let's encrypt certificates..

dereckson marked an inline comment as done.Apr 27 2017, 14:54

Move list of certificates to generate to next commit

dereckson added a child revision: D966: Generate Let's encrypt certificates.Apr 27 2017, 15:14

Closed by commit rOPS0e59fb219609: Provide a Let's encrypt unit (authored by dereckson, committed by dereckson). · Explain WhyApr 27 2017, 16:32

This revision was automatically updated to reflect the committed changes.

dereckson reopened this revision.Apr 27 2017, 16:47

dereckson added a task: T819: Web hosting on Eglide.Apr 27 2017, 17:43

Sandlayth accepted this revision.Apr 28 2017, 04:46

This revision is now accepted and ready to land.Apr 28 2017, 04:46

Closed by commit rOPSe01ae4056a97: Provide a Let's encrypt unit (authored by dereckson, committed by dereckson). · Explain WhyApr 28 2017, 08:36

This revision was automatically updated to reflect the committed changes.

Provide a Let's encrypt unit
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 2490

roles/core/letsencrypt-renew/files/letsencrypt-renewal.sh

roles/core/letsencrypt-renew/files/letsencrypt.service

roles/core/letsencrypt-renew/files/letsencrypt.timer

roles/core/letsencrypt/files/letsencrypt-renew.service

roles/core/letsencrypt/files/letsencrypt-renew.timer

roles/core/letsencrypt/files/letsencrypt-renewal.sh

roles/core/letsencrypt/init.sls

roles/core/letsencrypt/service.sls

roles/core/letsencrypt/software.sls

top.sls

Provide a Let's encrypt unitClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 2490

roles/core/letsencrypt-renew/files/letsencrypt-renewal.sh

roles/core/letsencrypt-renew/files/letsencrypt.service

roles/core/letsencrypt-renew/files/letsencrypt.timer

roles/core/letsencrypt/files/letsencrypt-renew.service

roles/core/letsencrypt/files/letsencrypt-renew.timer

roles/core/letsencrypt/files/letsencrypt-renewal.sh

roles/core/letsencrypt/init.sls

roles/core/letsencrypt/service.sls

roles/core/letsencrypt/software.sls

top.sls

Provide a Let's encrypt unit
ClosedPublic
Actions

Revision Contents
Changeset List