bbb-install certbot renewal post hook nginx issues
135 views
Skip to first unread message
Ally Ogilvie
Oct 15, 2019, 9:39:00 PM10/15/19
to BigBlueButton-dev
We are seeing on multiple servers and bbb versions the same thing; a certificate is updated, but nginx does not serve the new certificates.
Doing a restart of nginx corrects the issue. All our servers use bbb-install. We checked the script and certbot documentation. The certbot client for ubuntu 16 uses systemd timer. Should their be a post renew hook added to restart nginx? Should that be in the bbb-install?
Fred Dixon
Oct 15, 2019, 10:48:00 PM10/15/19
to BigBlueButton-dev
Hi Ally,
systemctl cat certbot.service
Hmm ... we have a cron job that runs the certbot renewal, and it causes nginx to reload it's configuration file
cat /etc/cron.daily/renew-letsencrypt
#!/bin/bash
/usr/bin/letsencrypt renew >> /var/log/letsencrypt/renew.log
/bin/systemctl reload nginx
#!/bin/bash
/usr/bin/letsencrypt renew >> /var/log/letsencrypt/renew.log
/bin/systemctl reload nginx
but there is also a certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
We'll need to add a post-hook. We've got to dig through the documentation, but you have suggestions on updates to bbb-install.sh, let us know.
Regards,... Fred
--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/b784ed24-2326-4c2b-9f80-a26774ad9404%40googlegroups.com.
BigBlueButton Developer
@bigbluebutton
Ally Ogilvie
Oct 15, 2019, 11:10:43 PM10/15/19
to BigBlueButton-dev
I can confirm we have that cron job, but I think it the certbot client does the renew first. I think using the certbot client itself to do the post actions might be best. I also want to check the default certbot client update time. Seems to be doing it too close to the wire.
Ally Ogilvie
Oct 15, 2019, 11:15:24 PM10/15/19
to BigBlueButton-dev
I found this on our machines;
$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
and I confirmed this is running from logs:
$ cat /var/log/syslog | grep CRON
Oct 15 12:00:01 bbb-... CRON[32492]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Oct 16 00:00:01 bbb-... CRON[3607]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
I'm not sure when that gets added, but seems like the best place for
certbot -q renew --post-hook "service nginx restart"
certbot -q renew --post-hook "service nginx restart"
post-hook
This is only run if an attempt was made to obtain/renew a certificate.
Reply all
Reply to author
Forward
0 new messages