<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/pki.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-18T14:07:54+00:00</updated>
<entry>
<title>pki: T8994: add graceful error handling in case certbot fails</title>
<updated>2026-06-18T14:07:54+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-06-16T15:36:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=101924e2c40f45fc1302633f2448bccee0c9c5e8'/>
<id>urn:sha1:101924e2c40f45fc1302633f2448bccee0c9c5e8</id>
<content type='text'>
If ACME and certbot are used for PKI and e.g. haproxy it can become an issue if
certbot is blocked by the firewall. The renewal service will fail and tear-down
the production service - even if the certificate is yet not expired.

The production service was not restarted. This has been changed as every service
which is stopped prior to the renew is later restarted even upon failure of
renewing said certificate.
</content>
</entry>
<entry>
<title>T8410: Fix typos and mistakes for operational and configuration commands</title>
<updated>2026-03-24T17:02:56+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-20T16:41:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bb2aee1e58c1cd30087b935798060e6bf3c698c8'/>
<id>urn:sha1:bb2aee1e58c1cd30087b935798060e6bf3c698c8</id>
<content type='text'>
Fix typos and mistakes in the commands and comments
No functional changes
</content>
</entry>
<entry>
<title>pki: T7976: calls to node_changed_presence() must use unmangled config paths</title>
<updated>2025-11-02T09:22:15+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-11-02T09:19:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=01c10334b0b734bef51a5f26a93ef50a635b376a'/>
<id>urn:sha1:01c10334b0b734bef51a5f26a93ef50a635b376a</id>
<content type='text'>
We do use mangled config paths where
  pki = conf.get_config_dict(base, key_mangling=('-', '_'), ...
returns a config dict where "-" is replaced by "_" when assembling the config
dict keys.

This does not work when we throw the retrieved path into
ConfigDiff().node_changed_presence()

https://github.com/vyos/vyos-1x/blob/07936657062c/src/conf_mode/pki.py#L259-L265

Add orig_path key which is preferred over path.
</content>
</entry>
<entry>
<title>pki: T7953: implement certbot_renew() function to have everything at one place</title>
<updated>2025-10-29T19:18:41+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-26T15:27:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=220209abde9646cf7b7fc4832e46b9b6c461c433'/>
<id>urn:sha1:220209abde9646cf7b7fc4832e46b9b6c461c433</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7953: reword inline comments</title>
<updated>2025-10-26T15:26:38+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-26T15:26:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4066ed80c8e8b80dba50b5fea37c88d0c7c6b5c1'/>
<id>urn:sha1:4066ed80c8e8b80dba50b5fea37c88d0c7c6b5c1</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7953: certbot_request() should return None</title>
<updated>2025-10-26T15:25:12+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-26T15:24:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=406c948fe78a2a9ff4a26efa78cf172310a88ed6'/>
<id>urn:sha1:406c948fe78a2a9ff4a26efa78cf172310a88ed6</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7953: use dict_set_nested() over manually assembly of dict data</title>
<updated>2025-10-26T15:08:18+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-26T15:01:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9c8bba962298f8e91a12866f3efcb94cf8c8458b'/>
<id>urn:sha1:9c8bba962298f8e91a12866f3efcb94cf8c8458b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7885: add openconnect to the list of used_by services</title>
<updated>2025-10-02T21:46:51+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-02T21:35:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=28bdc8b4e7fcb667f6157fa81efeb78f017c5f92'/>
<id>urn:sha1:28bdc8b4e7fcb667f6157fa81efeb78f017c5f92</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7885: check_port_availability() can't be used during system boot</title>
<updated>2025-10-02T21:39:35+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-02T21:10:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=008bd2463ee2cba05470768e11d634c2461ea5fa'/>
<id>urn:sha1:008bd2463ee2cba05470768e11d634c2461ea5fa</id>
<content type='text'>
A call to check_port_availability() will always fail during system boot when
listen_address is set and the address is not yet assigned to an interface.

This happens b/c PKI subsystem is called prior to any inteface - e.g. ethernet -
and thus the OS will always be unable to bind() a socket() to a non existing IP
address.
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
</feed>
