Bug 1839904

Summary: apachectl graceful interfering with verifying next cert to be signed
Product: [Fedora] Fedora EPEL Reporter: Stuart D Gathman <stuart>
Component: acme-tinyAssignee: Stuart D Gathman <stuart>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: epel7CC: stuart
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: acme-tiny-4.1.0-7.fc34 acme-tiny-4.1.0-7.fc33 acme-tiny-4.1.0-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-28 01:31:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proof of concept for compatible daemon kicker when acme-tiny updates certs none

Description Stuart D Gathman 2020-05-25 23:22:51 UTC 
Description of problem:
Cert fails to be signed because httpd does not respond to request to verify control of domain

Version-Release number of selected component (if applicable):
acme-tiny-4.1.0-1.el7.noarch

How reproducible:
Random, needs 3 or more certs to be signed in a day to be likely

Steps to Reproduce:
1. enable acme-tiny timer
2. have 3 or more certs to be signed the same day
3.

Actual results:
First few certs are signed, then one fails because httpd does not respond

Expected results:
All certs in expiration window are signed.

Additional info:
As certs are signed, incrond runs /etc/acme-tiny/notify.sh which does "apachectl graceful" for certs just signed.  This seems to sometimes interfere briefly with new requests.
Comment 1 Stuart D Gathman 2020-05-25 23:49:16 UTC 
The jilted certs will get signed the next day, and thus, the problem will correct itself.
Comment 2 Stuart D Gathman 2021-05-27 20:59:13 UTC 
In addition, kicking apache/dovecot/sendmail does not happen out of the box.  User has to read the README for fedora and install incrond.  I think with systemd, I can have another one-shot service run after acme-tiny.  This will avoid needing to install anything additional.  Comparing dates on certs will only happen once a day, so not a performance problem.  It will avoid kicking the daemons until After all the certs are signed.
Comment 3 Stuart D Gathman 2021-05-27 21:01:58 UTC 
Created attachment 1787693 [details]
Proof of concept for compatible daemon kicker when acme-tiny updates certs
Comment 4 Stuart D Gathman 2021-05-28 04:38:36 UTC 
Pushed a new version to rawhide.  Accidentally also pushed to f33, so pushed to f34 as well and will accelerate testing.  I will roll out on some lightly used production servers.
Comment 5 Fedora Update System 2021-06-19 23:02:23 UTC 
FEDORA-EPEL-2021-551ec36d33 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33
Comment 6 Fedora Update System 2021-06-19 23:19:09 UTC 
FEDORA-2021-be8fcce052 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052
Comment 7 Fedora Update System 2021-06-19 23:19:10 UTC 
FEDORA-2021-cb636961f0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0
Comment 8 Fedora Update System 2021-06-20 01:25:24 UTC 
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-be8fcce052`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-06-20 01:25:25 UTC 
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-06-20 01:57:32 UTC 
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cb636961f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2021-06-28 01:31:11 UTC 
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2021-06-28 01:43:23 UTC 
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2021-07-05 01:20:43 UTC 
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.