diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-06-23 22:43:21 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-06-23 22:45:32 +0200 |
| commit | 74941af39dc59c42d8ec6749169ee1c1663b78b7 (patch) | |
| tree | eb31931269a8d81b3bae71890e58814c6f8cd449 /src | |
| parent | a4e2f96b133a9f753b6b9fd4686f3ff2a8694dfe (diff) | |
| download | vyos-1x-74941af39dc59c42d8ec6749169ee1c1663b78b7.tar.gz vyos-1x-74941af39dc59c42d8ec6749169ee1c1663b78b7.zip | |
pki: T7574: add optional force argument to renew certbot-issued certificates
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Diffstat (limited to 'src')
| -rw-r--r-- | src/etc/systemd/system/certbot.service.d/10-override.conf | 7 | ||||
| -rwxr-xr-x | src/op_mode/pki.py | 15 |
2 files changed, 15 insertions, 7 deletions
diff --git a/src/etc/systemd/system/certbot.service.d/10-override.conf b/src/etc/systemd/system/certbot.service.d/10-override.conf deleted file mode 100644 index 542f77eb2..000000000 --- a/src/etc/systemd/system/certbot.service.d/10-override.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -After= -After=vyos-router.service - -[Service] -ExecStart= -ExecStart=/usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh" diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 49a461e9e..d928bd325 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -1373,6 +1373,21 @@ def show_all(raw: bool): print('\n') show_crl(raw) +def renew_certbot(raw: bool, force: typing.Optional[bool] = False): + from vyos.defaults import directories + + certbot_config = directories['certbot'] + hook_dir = directories['base'] + + tmp = f'/usr/bin/certbot renew --no-random-sleep-on-renew ' \ + f'--config-dir "{certbot_config}" ' \ + f'--post-hook "{hook_dir}/vyos-certbot-renew-pki.sh"' + if force: + tmp += ' --force-renewal' + + out = cmd(tmp) + if not raw: + print(out) if __name__ == '__main__': try: |