Bug 1839904 - apachectl graceful interfering with verifying next cert to be signed
Summary: apachectl graceful interfering with verifying next cert to be signed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: acme-tiny
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Stuart D Gathman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-25 23:22 UTC by Stuart D Gathman
Modified: 2021-07-05 01:20 UTC (History)
1 user (show)

Fixed In Version: acme-tiny-4.1.0-7.fc34 acme-tiny-4.1.0-7.fc33 acme-tiny-4.1.0-7.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-28 01:31:11 UTC
Type: Bug


Attachments (Terms of Use)
Proof of concept for compatible daemon kicker when acme-tiny updates certs (1.41 KB, text/plain)
2021-05-27 21:01 UTC, Stuart D Gathman
no flags Details

Description Stuart D Gathman 2020-05-25 23:22:51 UTC
Description of problem:
Cert fails to be signed because httpd does not respond to request to verify control of domain

Version-Release number of selected component (if applicable):
acme-tiny-4.1.0-1.el7.noarch

How reproducible:
Random, needs 3 or more certs to be signed in a day to be likely

Steps to Reproduce:
1. enable acme-tiny timer
2. have 3 or more certs to be signed the same day
3.

Actual results:
First few certs are signed, then one fails because httpd does not respond

Expected results:
All certs in expiration window are signed.

Additional info:
As certs are signed, incrond runs /etc/acme-tiny/notify.sh which does "apachectl graceful" for certs just signed.  This seems to sometimes interfere briefly with new requests.

Comment 1 Stuart D Gathman 2020-05-25 23:49:16 UTC
The jilted certs will get signed the next day, and thus, the problem will correct itself.

Comment 2 Stuart D Gathman 2021-05-27 20:59:13 UTC
In addition, kicking apache/dovecot/sendmail does not happen out of the box.  User has to read the README for fedora and install incrond.  I think with systemd, I can have another one-shot service run after acme-tiny.  This will avoid needing to install anything additional.  Comparing dates on certs will only happen once a day, so not a performance problem.  It will avoid kicking the daemons until After all the certs are signed.

Comment 3 Stuart D Gathman 2021-05-27 21:01:58 UTC
Created attachment 1787693 [details]
Proof of concept for compatible daemon kicker when acme-tiny updates certs

Comment 4 Stuart D Gathman 2021-05-28 04:38:36 UTC
Pushed a new version to rawhide.  Accidentally also pushed to f33, so pushed to f34 as well and will accelerate testing.  I will roll out on some lightly used production servers.

Comment 5 Fedora Update System 2021-06-19 23:02:23 UTC
FEDORA-EPEL-2021-551ec36d33 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33

Comment 6 Fedora Update System 2021-06-19 23:19:09 UTC
FEDORA-2021-be8fcce052 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052

Comment 7 Fedora Update System 2021-06-19 23:19:10 UTC
FEDORA-2021-cb636961f0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0

Comment 8 Fedora Update System 2021-06-20 01:25:24 UTC
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-be8fcce052`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-06-20 01:25:25 UTC
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-06-20 01:57:32 UTC
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cb636961f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2021-06-28 01:31:11 UTC
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2021-06-28 01:43:23 UTC
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2021-07-05 01:20:43 UTC
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.