Page MenuHomeDevCentral

Provide a Let's encrypt unit
ClosedPublic

Authored by dereckson on Apr 27 2017, 14:39.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Tue, Nov 19, 07:45
Unknown Object (File)
Sun, Nov 17, 19:09
Subscribers
None

Details

Summary

Our current goal is to provide an unit to use Let's encrypt certificates
everywhere. For that we create a new letsencrypt unit in the core role.

This change focus to cleanup the repository and consolidate Let's encrypt
artefacts in one place.

We first integrate to this unit the renew service prepared at cd39c567ec4f
after a little cleanup (oneshot mode, use the default service name for timer).
We then move the software requirement here too.

The certbot name is enforced.

Test Plan
  • assert Salt checks for the certbot package
  • test the service on Eglide

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson planned changes to this revision.EditedApr 27 2017, 14:41

First run note a service failure as renewal script failed with the typo:

----------
          ID: letsencrypt_renew_running
    Function: service.running
        Name: letsencrypt-renew
      Result: False
     Comment: Failed to start the service
     Started: 14:39:50.216620
    Duration: 453.555 ms
     Changes:   
              ----------
              letsencrypt-renew:
                  False
Eglide
$ systemctl status letsencrypt-renew
● letsencrypt-renew.service - Renew Let's encrypt certificates.
   Loaded: loaded (/etc/systemd/system/letsencrypt-renew.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-04-27 14:39:50 UTC; 1min 53s ago
  Process: 7155 ExecStart=/usr/local/sbin/letsencrypt-renewal (code=exited, status=127)
 Main PID: 7155 (code=exited, status=127)

Apr 27 14:39:50 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:39:50 eglide.org letsencrypt-renewal[7155]: /usr/local/sbin/letsencrypt-renewal: 31: /usr/local/sbin/letsencrypt-renewal: cerbot: not found
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Main process exited, code=exited, status=127/n/a
Apr 27 14:39:50 eglide.org systemd[1]: Failed to start Renew Let's encrypt certificates..
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Unit entered failed state.
Apr 27 14:39:50 eglide.org systemd[1]: letsencrypt-renew.service: Failed with result 'exit-code'.
roles/core/letsencrypt/files/letsencrypt-renewal.sh
31

certbot

Don't try to get a service running if it's a oneshot

Both the service and the salt state works on Eglide:

Salt master
$ salt eglide state.apply roles/core/letsencrypt
eglide:
----------
          ID: letsencrypt_software
    Function: pkg.installed
        Name: certbot
      Result: True
     Comment: Package certbot is already installed
     Started: 14:51:50.340686
    Duration: 3256.491 ms
     Changes:   
----------
          ID: /usr/local/sbin/letsencrypt-renewal
    Function: file.managed
      Result: True
     Comment: File /usr/local/sbin/letsencrypt-renewal is in the correct state
     Started: 14:51:53.610020
    Duration: 568.16 ms
     Changes:   
----------
          ID: letsencrypt_renew_unit
    Function: file.managed
        Name: /etc/systemd/system/letsencrypt-renew.service
      Result: True
     Comment: File /etc/systemd/system/letsencrypt-renew.service is in the correct state
     Started: 14:51:54.179294
    Duration: 498.446 ms
     Changes:   
----------
          ID: letsencrypt_renew_unit
    Function: module.run
        Name: service.force_reload
      Result: True
     Comment: State was not run because none of the onchanges reqs changed
     Changes:   
----------
          ID: letsencrypt_renew_enable
    Function: service.enabled
        Name: letsencrypt-renew
      Result: True
     Comment: Service letsencrypt-renew is already enabled, and is in the desired state
     Started: 14:51:54.687717
    Duration: 179.121 ms
     Changes:   

Summary for eglide
------------
Succeeded: 5
Failed:    0
------------
Total states run:     5
Total run time:   4.502 s
Eglide
$ systemctl status letsencrypt-renew
● letsencrypt-renew.service - Renew Let's encrypt certificates.
   Loaded: loaded (/etc/systemd/system/letsencrypt-renew.service; static; vendor preset: enabled)
   Active: inactive (dead)

Apr 27 14:43:41 eglide.org letsencrypt-renewal[7256]: No renewals were attempted.
Apr 27 14:43:41 eglide.org systemd[1]: Started Renew Let's encrypt certificates..
Apr 27 14:45:06 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:45:11 eglide.org letsencrypt-renewal[7346]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Apr 27 14:45:11 eglide.org letsencrypt-renewal[7346]: No renewals were attempted.
Apr 27 14:45:12 eglide.org systemd[1]: Started Renew Let's encrypt certificates..
Apr 27 14:45:39 eglide.org systemd[1]: Starting Renew Let's encrypt certificates....
Apr 27 14:45:45 eglide.org letsencrypt-renewal[7393]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Apr 27 14:45:45 eglide.org letsencrypt-renewal[7393]: No renewals were attempted.
Apr 27 14:45:45 eglide.org systemd[1]: Started Renew Let's encrypt certificates..

Move list of certificates to generate to next commit

This revision was automatically updated to reflect the committed changes.
This revision is now accepted and ready to land.Apr 28 2017, 04:46
This revision was automatically updated to reflect the committed changes.