-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certbot Renew Failed To Generate new FullChain file #8
Comments
I have this crontab running:
|
Went ahead and added the authenticator/installer config to This makes total sense but somehow overlooked it during the initial install and configuration (I did the automation sometime after the primary cert configuration). |
I believe our opinion is this is a problem with the certbot client. We have a pull request related to this: We are using our own fork at the moment: |
@mrtndwrd according to the issue on Certbot it's fixed now, any changes need to be made on this project's end or do we just pull the latest certbot? |
That issue was closed because nobody responded to it anymore. Unfortunately, nobody had time to implement the last solution bmw proposed in that issue. So it's not fixed, that issue is just closed. For now, we are still using our fork. I'll try to at least get that up-to-date as soon as possible |
A workaround;
#!/bin/bash
# A script to work around https://github.com/greenhost/certbot-haproxy/issues/8
# which watches to see if the LE issued certs are newer than the ones in HAProxy source
# and then simply mashes the full key and priv key of those certs into a haproxy
# compatible view and reloads haproxy.
LE_ROOT="/etc/letsencrypt/live/"
HA_CERT_ROOT="/opt/certbot/haproxy_fullchains"
RELOAD=""
for DOMAIN in $(ls "${LE_ROOT}");
do
if [[ "${LE_ROOT}/${DOMAIN}/fullchain.pem" -nt "${HA_CERT_ROOT}/${DOMAIN}.pem" ]]; then
# Haproxy certificate is older than the certs in letsencrypt; suggesting a renew has occurred
echo "Renewal detected for $DOMAIN... Regenerating haproxy cert"
cat "${LE_ROOT}/$DOMAIN/fullchain.pem" "${LE_ROOT}/${DOMAIN}/privkey.pem" > "${HA_CERT_ROOT}/${DOMAIN}.pem"
RELOAD="true"
fi
done
if [ "$RELOAD" == "true" ]; then
service haproxy reload
fi Example systemd change;
|
Hi, I just ran into this issue with this module and the certbot 0.27.1 codebase. Thanks to @warmfusion for the script above. With a couple of modifications it has solved the issue for me. For my use case, I thought it was better to set up the script than use a forked version of certbot. However, it looks like the better solution to this problem would be for this plugin to use the new 'RenewDeployer' function that certbot has had since version 0.26.1: So, this looks like a feature that should be added to this plugin code. -Ian |
@idmacdonald Thanks for the suggestion, at first glance that seems to be a good solution to make sure we don't have to use our certbot fork. To be honest, I'm not sure if we still use that fork (it's quite outdated). We'll take a closer look, but I'm not sure when we have the time to do so |
I have all of my chains under
/opt/certbot/haproxy_fullchains
, and have runcertbot renew
before but it appears my chains are not being updated there. I am getting a new chain under/etc/letsencrypt/archive/[domain name]
.Not seeing anything about updating the haproxy_fullchains file, am I missing something?
If I run
certbot run --authenticator certbot-haproxy:haproxy-authenticator --installer certbot-haproxy:haproxy-installer
, select a cert that already exists I and select1: Attempt to reinstall this existing certificate
it'll fix the issue.Is there a way to reinstall all certs?
Happened to 5/12 of my sites so far, going to see what the rest do as they expire.
The text was updated successfully, but these errors were encountered: