diff options
| author | Christian Breunig <christian@breunig.cc> | 2026-06-16 17:36:37 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-06-18 16:07:54 +0200 |
| commit | 101924e2c40f45fc1302633f2448bccee0c9c5e8 (patch) | |
| tree | 5b453b369e893ca82b88fb4abcabf61f9d261580 /src | |
| parent | 4fb32bc179127691f40c8e93c55877aa76f10416 (diff) | |
| download | vyos-1x-101924e2c40f45fc1302633f2448bccee0c9c5e8.tar.gz vyos-1x-101924e2c40f45fc1302633f2448bccee0c9c5e8.zip | |
pki: T8994: add graceful error handling in case certbot fails
If ACME and certbot are used for PKI and e.g. haproxy it can become an issue if
certbot is blocked by the firewall. The renewal service will fail and tear-down
the production service - even if the certificate is yet not expired.
The production service was not restarted. This has been changed as every service
which is stopped prior to the renew is later restarted even upon failure of
renewing said certificate.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/pki.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 356a8dd89..349abb6fc 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -167,6 +167,7 @@ def certbot_renew(config: dict, force: bool=False) -> None: # Determine services using ACME based certificates pre_hook_services = [] + stop_services = [] for used_by, _ in dict_search_recursive(config, 'used_by'): pre_hook_services.extend(used_by) # Remove duplicate items from list @@ -174,16 +175,21 @@ def certbot_renew(config: dict, force: bool=False) -> None: # Automatically add services in use to pre_hook_services depending on service # name in vyos.defaults.systemd_services if pre_hook_services: - services = [] for service in pre_hook_services: if service in systemd_services: - services.append(systemd_services[service]) - tmp += ' --pre-hook "systemctl stop ' + ' '.join(services) + '"' + stop_services.append(systemd_services[service]) + tmp += ' --pre-hook "systemctl stop ' + ' '.join(stop_services) + '"' if force: tmp += ' --force-renewal' - print(cmd(tmp, raising=ConfigError, message=f'Certbot renew failed!')) + try: + print(cmd(tmp, raising=ConfigError, message=f'Certbot renew failed!')) + except ConfigError as e: + print(e) + for service in stop_services: + print(f'Restarting "{service}" with non-renewed certificate...') + cmd(f'systemctl restart {service}') return None def get_config(config=None): |
