Remove unnecessary ID from Let's Encrypt bundled cert filename #834
Conversation
|
Well that was easier than I thought :) Rest of the changes look good too 👍 |
|
I added a commit that changes the focus, while still removing the ID from the bundled cert filename. The new focus is to expand This new approach also adds a tag to the task that executes With so many edits to @strarsis, The bundled cert's path is now stable (no ID). Is that enough, or is it a problem that the root cert filename and CSR filename will each still have changing IDs? (#286) |
|
@fullyint: The CSR is rarely/never used by TLS configurations and I don't need it for my use case either. |
|
My error in saying "root cert." I meant to refer to the "end-entity cert" or "leaf certificate" that Let's Encrypt issues for the server. This filename WILL have the changing ID, but I suspect other programs wouldn't use this file. When I mentioned "bundled cert" I meant the chained certificate that browsers care about: the concatenation of our server's end-entity cert and the Let's Encrypt intermediate cert. It is the only cert file we serve and will NOT have an ID (after this PR). |
|
@fullyint: Most programs require fullchain cert (=bundled) and private key, hence both files should have constant file names. |
swalkinshaw
force-pushed
the
remove-id-from-bundled-cert
branch
from
b46823d to
91d8a35
Compare
|
Resurrecting this from the dead 😄 I've rebased and updated it since the renew certs scripts had significantly changed. Still needs testing. |
swalkinshaw
force-pushed
the
remove-id-from-bundled-cert
branch
2 times, most recently
from
94728c9 to
5de70af
Compare
|
This should be ready to go and I've tested it on a site with Lets Encrypt. @strarsis would you be able to try this out somehow? (without breaking a production site 😉). It's designed to be very low risk and backwards compatible though. |
The CSR and cert_file use an ID in their filenames to ensure they are regenerated in response to changes in relevant conditions. However, an ID in the bundled cert filename serves no purpose. This commit removes the ID from the bundled cert filename, offering other programs a more stable and static path for the bundled cert. This commit also rsyncs existing ID-in-filename bundled certs to their non-ID counterparts. This ensures the non-ID certs exist when users happen to run only the `wordpress` tag and not the `letsencrypt` tag. In such a scenario, the wordpress-site.conf files would be regenerated with non-ID filenames but such files would not exist without an rsync effective under the same Ansible tag.
swalkinshaw
force-pushed
the
remove-id-from-bundled-cert
branch
from
5de70af to
6968b44
Compare
|
@swalkinshaw: Awesome, thanks! |
#826 says it would be nice for other programs to have a stable path to the Let's Encrypt bundled cert (vs. a filename with an ID that changes).
ID ensures regenerated CSR and cert_file. The CSR uses the ID/hash here to ensure it is regenerated in response to changes in relevant conditions, and an ID in the
cert_filename appeared necessary for the correct stat and age calculation for the file.ID unnecessary in bundled cert filename. However, an ID in the bundled cert filename is not necessary, as far as I can tell. I think I just included it in #630 for filename consistency with the CSR and
cert_file. So, this PR removes the ID from the bundled cert filename, for convenience of other programs that use its path. I'm not aware of any external need for the bundled cert filename to be unique with each cert renewal. Indeed, certbot considers it optional to "uniquify" cert paths: certbot/certbot#3009Backward compatibility This PR also rsyncs existing ID-in-filename bundled certs to their non-ID counterparts. This ensures the non-ID bundled certs exist when users happen to run only the
wordpresstag and not theletsencrypttag. In such a scenario, thewordpress-site.conffiles would be regenerated with non-ID filenames but such files would not exist without an rsync that runs under the same Ansible tag. (The two tasks for compatibility are the bulk of this PR, unfortunately. Removing the ID was just 2 lines of code otherwise).Tags note. This PR also adds the
wordpress-setup-nginxtag to the "Generate Lets Encrypt certificate IDs" task, this task being required for the later tasks in this PR to have access to the IDs, if a user happened to trigger these tasks via thewordpress-setup-nginxtag.This PR also adds the
nginx-includestag to the two rsync tasks because they need to run if a user runs thenginx-includestag, which would regenerate thewordpress-site.confwith the non-ID bundled cert filename via the "Create WordPress configuration for Nginx" task.Playing it safe. This PR also augmented the
renew-certs.pywith a check for the existence of the bundled cert, in the spirit of pursuing "desired state." If the bundled cert doesn't exist, running the rest of the script is the only way it will be created. I concede that it would be a rare case for thecert_fileto exist and thebundled_cert_fileto not exist, but strange things happen, and this addition doesn't seem to have too big of a price for playing it safe.