Bug 1366355 - Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
Summary: Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zbigniew Jędrzejewski-Szmek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-11 18:19 UTC by Stuart D Gathman
Modified: 2016-10-30 21:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-16 18:52:16 UTC
Type: ---
Embargoed:
zbyszek: fedora-review+


Attachments (Terms of Use)

Description Stuart D Gathman 2016-08-11 18:19:31 UTC
Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec
SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-4.el6.src.rpm

Description: This is a tiny, auditable script that you can throw on your server
to issue and renew Let's Encrypt certificates. Since it has to be run on your
server and have access to your private Let's Encrypt account key, I tried to
make it as tiny as possible (currently less than 200 lines). The only
prerequisites are python and openssl.

Well, that and a web server - but then you only need this with a web server.
This package adds a simple directory layout and cron script that runs acme_tiny
as the acme user for privilege separation.

Fedora Account System Username: sdgathman

Comment 1 Stuart D Gathman 2016-08-11 19:24:13 UTC
Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec
SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-5.el6.src.rpm

New release out for testing on local repo.

Comment 2 Zbigniew Jędrzejewski-Szmek 2016-08-11 21:23:08 UTC
For Fedora it would be nice to replace the cron script with a systemd timer+service. Cron scripts are more heavyweight, require crond to be running, and leave much more logs. In addition, you could use stuff like ProtectHome=yes, etc, and users will be able to enable/disable this using presets, which is nicer for automatic deployments.

Comment 3 Stuart D Gathman 2016-08-11 22:47:25 UTC
Why acme-tiny and not the existing certbot package?

Certbot is an all singing, all dancing, configure your web server for you (with
plugins for various web servers), ACME client plus general cert management
tool.  Let's Encrypt is a web service using the ACME protocol.

Acme-tiny is a tiny ACME client that doesn't do all that stuff - because it
only needs to be done once, so it is a really bad idea to have some generic
script editing your configuration (and who knows what else hidden among all
that code).  Plus, certbot needs root access to your system.  Acme-tiny does
not.  It runs as the acme user, and only has access to csrs you give it, certs
it signs, and the Let's Encrypt account key (when using letsencrypt to sign).

In summary, IMO certbot is targeting the wrong audience.  The people that would
need certbot to do all that one time configuration for them probably aren't
running a web server to begin with.  But I could be wrong.  There are a lot of
non-technical Fedora users, that just may in fact run web servers and
appreciate certbot.

With the apache drop-in I provide in acme-tiny, 99% of apache configurations
work out of the box anyway.  You only need to adjust the config if you use
<Location "/"> deny all inside a <VirtualHost> (which overrides the global
acme-challenge config).

In summary: letsencrypt is a web service.  ACME is a wire protocol.  certbot is a bloated client implementation of ACME.  acme-tiny is a lean and mean client implementation.  My acme-tiny package adds pre-made directories, user, and a tiny cron script so that everything mostly works out of the box.

Comment 4 Stuart D Gathman 2016-08-11 22:50:56 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2)
> For Fedora it would be nice to replace the cron script with a systemd
> timer+service. Cron scripts are more heavyweight, require crond to be

I will put that on the list, but I don't know how to do that yet.  It is easy enough to use the crontab only for el6.  (I assume el7 also has timer+service.)

Comment 5 Stuart D Gathman 2016-08-11 22:53:39 UTC
Note to reviewers: the python scripts are intended to run on either python2 or python3 - hence it uses the default python.  I haven't tested it thoroughly with python3 yet, however.

Comment 6 Zbigniew Jędrzejewski-Szmek 2016-08-18 18:47:32 UTC
/usr/sbin/acme_tiny has '#!/usr/bin/env python', it should use system python, i.e. %{__python2}.

It cannot work with python3, cert-check has old exception syntax.

Systemd units would be:
# acme-tiny.timer
[Unit]
Description=Periodic renewal of Let's Encrypt certificates

[Timer]
OnCalendar=daily
Persistent=yes

[Install]
WantedBy=timers.target

# acme-tiny.service
[Unit]
Description=Renewal of Let's Encrypt certificates

[Service]
Type=oneshot
User=acme
ExecStart=/usr/libexec/acme-tiny/sign

PrivateTmp=true
ProtectHome=yes
ProtectSystem=full

[Install]
Also=acme-tiny.timer

Comment 7 Stuart D Gathman 2016-08-19 15:08:35 UTC
Thanks - I'll fix the cert-check script, and I can test it on python3.  Also, after some discussion on the acme-tiny github page, I will be removing or changing the patch to append intermediate certs.  The package promises to "use the upstream acme-tiny".  The patch changes the default semantics, and some applications depend on acme-tiny outputting *only* the one cert.  

Options are:

1) Include or depend on https://github.com/muchlearning/cert-chain-resolver-py
   This not only downloads intermediate certs, but does a lot of sanity checking.

2) Modify the patch to add an option flag to append intermediate certs, thus leaving the default behavior unchanged.  The intermediate certs are included in the acme response in any case, it is just a matter of whether to extract and append them.

Comment 8 Stuart D Gathman 2016-08-19 15:14:34 UTC
Arrgh.  I *did* test cert-check.py with python3, but neglected to commit the changes...

Comment 9 Stuart D Gathman 2016-08-20 00:20:38 UTC
Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec
SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-6.el6.src.rpm

Tested cert-check with python3 AND committed it this time.  Made /var/lib/acme readable by all except private.  Removed env from acme-tiny.  Updated patch to leave default behavior unchanged.  Still thinking about leaving acme-tiny really unchanged and include cert-chain-resolver (or make that another package).

Comment 10 Zbigniew Jędrzejewski-Szmek 2016-08-21 00:21:24 UTC
cert-chain-resolver is 150 lines, so making a package out of it seems a bit overkill. OTOH, it is a separate project. I don't know what the best solution is here.

OK, so you fixed python3 support. Now you should make the Fedora version use python3 ;) https://fedoraproject.org/wiki/Packaging:Python#Python_Version_Support says "If a piece of software supports python3, it must be packaged for python3.". We really shouldn't be adding more python2 stuff if we can avoid it.

Also, I'll reiterate the request to switch from cron to systemd timers: the overhead is lower (less dependencies, less logs, less processes), and switching from cron to systemd units is awkward, it can only be done between releases, and the information whether a service was enabled or disabled is lost. So it's better to do it properly from the start, i.e. use a systemd timer. I expect the ones I pasted above to work without any issues.

You should include %shortcommit in the release tag
[https://fedoraproject.org/wiki/Packaging:Naming?rd=Packaging:NamingGuidelines#Post-Release_packages].
Something like this works nicely to switch back and forth between tags and releases:
%global gitcommit ea683512f9b82f2257770f0ed56d819eea230fc2
%{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
Version:        123
Release:        4%{?gitcommit:.git%{gitcommitshort}}%{?dist}

Comment 11 Stuart D Gathman 2016-08-21 22:12:20 UTC
Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec
SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-8.git5a7b4e7.fc23.src.rpm

It is still out for testing on my local repo - going to do an end-to-end (do the whole process of registering the cert and running the check script from cron) on an f23 server.  Only tested end-to-end on el6 so far.

Comment 12 Stuart D Gathman 2016-08-22 00:20:01 UTC
Works!  https://nyc.gathman.org/  (note signed by letsencrypt.org)

Comment 13 Zbigniew Jędrzejewski-Szmek 2016-08-22 06:10:26 UTC
It's simpler to use:
%{?systemd_requires}
[https://fedoraproject.org/wiki/Packaging:Scriptlets#Systemd]

The scriptlets should refer to both units (acme-tiny.service and acme-tiny.timer). At least because when the package is uninstalled, both must be disabled and stopped.

Please add to the .service unit file:
  [Install]
  Also=acme-tiny.timer
This will make 'systemctl enable acme-tiny' do the expected thing.

WantedBy=network.target is wrong. It should be WantedBy=timers.target, which is the normal setting (see systemd.special(7)). If you want, you can add "After=httpd.service nginx.service" to acme-tiny.service. (If those services are not installed or not started, this line will have no effect.)

When systemd is used, the dependency on cronie should be dropped.
The mention of cron in %description should be removed too.

Drop the dependency on python. It'll be generated automatically (and correctly, i.e. for python3).

I think Suggests: httpd, mod_ssl, Enhances: httpd, mod_ssl, and maybe similarly for nginx should be added.

%setup + %patch0 -p1 → %autosetup -p1 ;)

Any chance I could convince you to rename the executable to acme-tiny? Having cert-check and acme_tiny is ugly. It's also less confusing when the main binary matches the package name.

I think you should provide a Fedora-specific instructions. Upstream README contains a lot of non-relevant information about how to create a cron script, how to invoke the python script, etc. Also the paths are fixed (/var/lib/acme/*), and it would be easier if the instructions referred to them.

I started the service without creating any configuration. It failed:
Aug 22 04:43:59 fedora24 systemd[1]: Starting Check for acme certs about to expire...
Aug 22 04:43:59 fedora24 acme-tiny[15288]: Generating RSA private key, 4096 bit long modulus
Aug 22 04:43:59 fedora24 acme-tiny[15288]: ..................++
Aug 22 04:44:00 fedora24 acme-tiny[15288]: ...........................................................................++
Aug 22 04:44:00 fedora24 acme-tiny[15288]: e is 65537 (0x10001)
Aug 22 04:44:00 fedora24 acme-tiny[15288]: acme_tiny --account-key private/account.key --csr csr/*.csr --acme-dir /var/www/challenges/ --out certs/*.crt
Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing account key...
Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing CSR...
Aug 22 04:44:00 fedora24 acme-tiny[15288]: Traceback (most recent call last):
Aug 22 04:44:00 fedora24 acme-tiny[15288]:   File "/usr/sbin/acme_tiny", line 213, in <module>
Aug 22 04:44:00 fedora24 acme-tiny[15288]:     main(sys.argv[1:])
Aug 22 04:44:00 fedora24 acme-tiny[15288]:   File "/usr/sbin/acme_tiny", line 209, in main
Aug 22 04:44:00 fedora24 acme-tiny[15288]:     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, chain=args.chain)
Aug 22 04:44:00 fedora24 acme-tiny[15288]:   File "/usr/sbin/acme_tiny", line 70, in get_crt
Aug 22 04:44:00 fedora24 acme-tiny[15288]:     raise IOError("Error loading {0}: {1}".format(csr, err))
Aug 22 04:44:00 fedora24 acme-tiny[15288]: OSError: Error loading csr/*.csr: b"csr/*.csr: No such file or directory\n139718301902712:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('csr/*.csr','r')\n139718301902712:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\n"
Aug 22 04:44:00 fedora24 systemd[1]: Started Check for acme certs about to expire.

It looks like the script does not report failure properly.

It should also report the error in a more readable way. I don't think the stack trace is useful.

In /var/lib/acme/certs/ I have a file called '*.tmp'. This does not look right ;)

Next, I created a file called /var/lib/acme/csr/domain.csr. I restarted the service, but again it failed, this time because I haven't actually started a http server. The failure is expected, but the reporting could be improved:

Aug 22 05:23:02 fedora24 systemd[1]: Starting Check for acme certs about to expire...
Aug 22 05:23:02 fedora24 acme-tiny[15371]: acme_tiny --account-key private/account.key --csr csr/domain.csr --acme-dir /var/www/challenges/ --out certs/domain.crt
Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing account key...
Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing CSR...
Aug 22 05:23:02 fedora24 acme-tiny[15371]: Registering account...
Aug 22 05:23:03 fedora24 acme-tiny[15371]: Registered!
Aug 22 05:23:03 fedora24 acme-tiny[15371]: Verifying fedora24.in.waw.pl...
Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last):
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 1240, in do_open
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     h.request(req.get_method(), req.selector, req.data, headers)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 1083, in request
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     self._send_request(method, url, body, headers)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 1128, in _send_request
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     self.endheaders(body)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 1079, in endheaders
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     self._send_output(message_body)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 911, in _send_output
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     self.send(msg)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 854, in send
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     self.connect()
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/http/client.py", line 826, in connect
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     (self.host,self.port), self.timeout, self.source_address)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/socket.py", line 711, in create_connection
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     raise err
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/socket.py", line 702, in create_connection
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     sock.connect(sa)
Aug 22 05:23:03 fedora24 acme-tiny[15371]: ConnectionRefusedError: [Errno 111] Connection refused
Aug 22 05:23:03 fedora24 acme-tiny[15371]: During handling of the above exception, another exception occurred:
Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last):
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/sbin/acme_tiny", line 117, in get_crt
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     resp = urlopen(wellknown_url)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 162, in urlopen
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     return opener.open(url, data, timeout)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 465, in open
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     response = self._open(req, data)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 483, in _open
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     '_open', req)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 443, in _call_chain
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     result = func(*args)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 1268, in http_open
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     return self.do_open(http.client.HTTPConnection, req)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/lib64/python3.5/urllib/request.py", line 1242, in do_open
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     raise URLError(err)
Aug 22 05:23:03 fedora24 acme-tiny[15371]: urllib.error.URLError: <urlopen error [Errno 111] Connection refused>
Aug 22 05:23:03 fedora24 acme-tiny[15371]: During handling of the above exception, another exception occurred:
Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last):
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/sbin/acme_tiny", line 213, in <module>
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     main(sys.argv[1:])
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/sbin/acme_tiny", line 209, in main
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, chain=args.chain)
Aug 22 05:23:03 fedora24 acme-tiny[15371]:   File "/usr/sbin/acme_tiny", line 123, in get_crt
Aug 22 05:23:03 fedora24 acme-tiny[15371]:     wellknown_path, wellknown_url))
Aug 22 05:23:03 fedora24 acme-tiny[15371]: ValueError: Wrote file to /var/www/challenges/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA, but couldn't download http://fedora24.in.waw.pl/.well-known/acme-challenge/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA

Again, those tracebacks are not useful to the end user. In particular, it does nos say *where* it tried to connect in the traceback.

Your instructions don't discuss how to feed the certificate back to httpd. Shouldn't the snippets for httpd configuration override SSLCertificateKeyFile, SSLCertificateFile? Or is this supposed to be done somehow differently? How do you solve permission issues?

Finally, your script could generate a csr for the FQDN. This would simplify things, because the user would not need to do this step by hand. It would be actually great to be able to install this package on a new server and have it work automatically without any manual steps.

Comment 14 Zbigniew Jędrzejewski-Szmek 2016-08-22 06:23:26 UTC
There's also https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup. You might want to look at that, although I don't see much benefit in splitting this initial setup in case of acme-tiny.

Comment 15 Stuart D Gathman 2016-08-22 19:16:35 UTC
The tracebacks are a tough one, as that will require another mod to upstream.  acme-tiny is becoming acme not as tiny but more friendly.  I had hoped to keep the core script relatively unchanged, and just add the timers, directories, etc that make it actually usable.  

Generating FQDN csr is a no go.  We really don't know what the user will want, e.g. you typically want a list of domains on the cert for a web page.  (DNS:example.com,DNS:www.example.com)  However, another auxiliary script in the package to auto-gen a guessed CSR for a typical web page use might be in order down the road. 

I'll fix bombing on no csrs, and see if there is something simple to do about the tracebacks from the upstream script.  And I'm on board with renaming the core script - I originally named it acme-tiny, but upstream names it acme_tiny, and I thought maybe I should follow suit.  Link both names?

It does say where it is trying to connect, BTW: Verifying fedora24.in.waw.pl..
Maybe it will only be a few lines to add a --quiet flag that suppresses the traceback and only shows the top level exception.

Comment 16 Stuart D Gathman 2016-08-22 19:55:37 UTC
Actually, the top level exception is extremely clear:

ValueError: Wrote file to /var/www/challenges/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA, but couldn't download http://fedora24.in.waw.pl/.well-known/acme-challenge/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA

So suppressing the traceback might be slightly friendlier, but the error message is very good.  (The test system didn't have the web server configured for the fedora24.in.waw.pl domain.)

Comment 17 Stuart D Gathman 2016-08-23 01:37:52 UTC
Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec
SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-9.git5a7b4e7.fc23.src.rpm

I provided symlinks for acme-tiny and acme-tiny-sign, and followed all the rest of your recommendations (I think - patched acme-tiny to suppress tracebacks, devs can uncomment one line to get them back), except for %autosetup.  I really like having each patch make named backup files, so updating a patch is easy.

Comment 18 Stuart D Gathman 2016-08-23 23:20:04 UTC
Testing with sendmail reveals a minor problem:

Aug 23 16:19:41 mail sendmail[6198]: STARTTLS=server: file /var/lib/acme/certs/mail.crt unsafe: Permission denied

sendmail doesn't like the cert being writable by other.  This seems overly paranoid - the key is a separate config and is secure.  I'm not thinking of a simple way for acme-tiny to facilitate sendmail - the simplest seems to be a root cron script that copies the mail crt when it changes.

Comment 19 Stuart D Gathman 2016-08-25 04:27:12 UTC
On generic solution to programs like sendmail is to drop an incrontab in /etc/incron.d/acme that copies any updated files in /var/lib/acme/certs to /etc/pki/tls/acme-certs.  Then apps can all get their certs from /etc/pki/tls.

Is that acceptable without a dependency?  incron is insecure by default - you have to echo root >/etc/incron.allow

Comment 20 Zbigniew Jędrzejewski-Szmek 2016-08-26 09:19:22 UTC
Sorry for the delay. I'll be offline a few days, but I should get back to this next week.

Comment 21 Zbigniew Jędrzejewski-Szmek 2016-08-27 06:40:00 UTC
New packages cannot be added for Fedora 22, so the check '%if 0%{?fedora} > 22' can be simplified to '%if 0%{?fedora}'.

+ package name is OK
+ license is acceptable (MIT)
+ license is specified correctly
+ latest version
+ provides/requires/buildrequires are specified correctly
+ package builds and installs OK
+ rpmlint is OK (see below)
+ scriptlets look sane

rpmlint:
acme-tiny.noarch: W: spelling-error Summary(en_US) Auditable -> Audi table, Audi-table, Audit able
acme-tiny.noarch: W: spelling-error %description -l en_US auditable -> audit able, audit-able, editable
"auditable" is a neologism, but OK.

acme-tiny.noarch: W: incoherent-version-in-changelog 0.1-9 ['0.1-9.git5a7b4e7.fc24', '0.1-9.git5a7b4e7']
Please make sure this is OK when the package is built.

acme-tiny.noarch: W: non-standard-uid /var/lib/acme/private acme
acme-tiny.noarch: W: non-standard-gid /var/lib/acme/private acme
acme-tiny.noarch: E: non-standard-dir-perm /var/lib/acme/private 700
acme-tiny.noarch: W: non-standard-uid /var/www/challenges acme
acme-tiny.noarch: W: non-standard-gid /var/www/challenges acme
acme-tiny.noarch: W: non-standard-uid /var/lib/acme/lets-encrypt-x3-cross-signed.pem acme
acme-tiny.noarch: W: non-standard-gid /var/lib/acme/lets-encrypt-x3-cross-signed.pem acme
acme-tiny.noarch: W: pem-certificate /var/lib/acme/lets-encrypt-x3-cross-signed.pem
acme-tiny.noarch: W: non-standard-uid /var/lib/acme/csr acme
acme-tiny.noarch: W: non-standard-gid /var/lib/acme/csr acme
acme-tiny.noarch: W: non-standard-uid /var/lib/acme acme
acme-tiny.noarch: W: non-standard-gid /var/lib/acme acme
acme-tiny.noarch: W: non-standard-uid /var/lib/acme/certs acme
acme-tiny.noarch: W: non-standard-gid /var/lib/acme/certs acme
Those are OK.

acme-tiny.noarch: W: no-manual-page-for-binary acme_tiny
acme-tiny.noarch: W: no-manual-page-for-binary acme-tiny-sign
acme-tiny.noarch: W: no-manual-page-for-binary acme-tiny
acme-tiny.noarch: W: no-manual-page-for-binary cert-check
Not needed, docs are provided in READMEs.

1 packages and 0 specfiles checked; 1 errors, 20 warnings.

Package is APPROVED.

Comment 22 Zbigniew Jędrzejewski-Szmek 2016-10-05 18:48:44 UTC
Ping?

Comment 23 Stuart D Gathman 2016-10-05 20:39:03 UTC
Oh my.  I didn't see that the package was approved!  I'll address those nits and get it out there.

Comment 24 Gwyn Ciesla 2016-10-05 21:30:28 UTC
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/acme-tiny

Comment 25 Fedora Update System 2016-10-07 06:24:36 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b72c96ecee

Comment 26 Fedora Update System 2016-10-07 08:49:13 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f5a987216a

Comment 27 Fedora Update System 2016-10-07 09:24:49 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-35ee682c26

Comment 28 Fedora Update System 2016-10-07 09:57:58 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1868cc9f1b

Comment 29 Fedora Update System 2016-10-08 14:17:09 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-cb6cac6026

Comment 30 Stuart D Gathman 2016-10-11 19:01:05 UTC
The README advises using semanage to label /var/lib/acme/certs as cert_t so that dovecot and others can use the certs directly.  But the package should provide for this.

Possible solutions:

a) run semanage fcontext during (pre-)installation. 
b) ask selinux policy to label /var/lib/acme as cert_t
c) Have package install a /etc/pki/acme directory owned by acme, which will then be cert_t.  
  o) Moving /var/lib/acme to /etc/pki/acme is not optimal for two reasons:
    1) a pain for existing users (including me!)
    2) makes acme-tiny unusable by systems that keep /etc readonly during normal operation.
  o) The cron script could update certs in *both* /etc/pki/acme and /var/lib/acme
d) Investigate using the /var/lib/letsencrypt directory used by certbot.
  o) Don't want both systems trying to renew the same certs.

Comment 31 Fedora Update System 2016-10-16 18:52:16 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2016-10-16 22:49:30 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2016-10-17 07:48:36 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2016-10-30 21:48:14 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2016-10-30 21:50:10 UTC
acme-tiny-0.1-10.20160810git5a7b4e7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.