Description of problem: Cert fails to be signed because httpd does not respond to request to verify control of domain Version-Release number of selected component (if applicable): acme-tiny-4.1.0-1.el7.noarch How reproducible: Random, needs 3 or more certs to be signed in a day to be likely Steps to Reproduce: 1. enable acme-tiny timer 2. have 3 or more certs to be signed the same day 3. Actual results: First few certs are signed, then one fails because httpd does not respond Expected results: All certs in expiration window are signed. Additional info: As certs are signed, incrond runs /etc/acme-tiny/notify.sh which does "apachectl graceful" for certs just signed. This seems to sometimes interfere briefly with new requests.
The jilted certs will get signed the next day, and thus, the problem will correct itself.
In addition, kicking apache/dovecot/sendmail does not happen out of the box. User has to read the README for fedora and install incrond. I think with systemd, I can have another one-shot service run after acme-tiny. This will avoid needing to install anything additional. Comparing dates on certs will only happen once a day, so not a performance problem. It will avoid kicking the daemons until After all the certs are signed.
Created attachment 1787693 [details] Proof of concept for compatible daemon kicker when acme-tiny updates certs
Pushed a new version to rawhide. Accidentally also pushed to f33, so pushed to f34 as well and will accelerate testing. I will roll out on some lightly used production servers.
FEDORA-EPEL-2021-551ec36d33 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33
FEDORA-2021-be8fcce052 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052
FEDORA-2021-cb636961f0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-be8fcce052` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cb636961f0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.