kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 29 Pull Requests 2 Projects 2 Activity

WIP: Replace the certbot systemd unit with a cron job with notifications #68

Closed
greg wants to merge 2 commits from bugfix/3-certbot_email_notifications into master
pull from: bugfix/3-certbot_email_notifications
merge into: kosmos:master
Conversation 4 Commits 2 Files Changed 2 +21 -1
greg commented 2019-06-18 16:28:17 +00:00
Owner
Copy Link

Uses cronic (https://habilis.net/cronic/) to filter out the stdout and send a sensible email to ops@kosmos.org when renewal fails

Closes #3

This has been tested on andromeda

Uses cronic (https://habilis.net/cronic/) to filter out the stdout and send a sensible email to ops@kosmos.org when renewal fails Closes #3 This has been tested on andromeda
greg commented 2019-06-18 16:30:11 +00:00
Author
Owner
Copy Link

I checked, no other change is needed for cron jobs so far, the backup gem is already successfully sending emails when warnings or errors occur (independently of using cron).

Doing the same thing with systemd timers would be very complex for no reason: https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO

I checked, no other change is needed for cron jobs so far, the backup gem is already successfully sending emails when warnings or errors occur (independently of using cron). Doing the same thing with systemd timers would be very complex for no reason: https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO
greg changed title from Replace the certbot systemd unit with a cron job with notifications to WIP: Replace the certbot systemd unit with a cron job with notifications 2019-06-19 09:06:54 +00:00
greg commented 2019-06-19 09:09:17 +00:00
Author
Owner
Copy Link

Damnit, certbot is using stderr to output warnings, so we got an email when it ran at midnight:

ERROR OUTPUT:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Attempting to parse the version 0.33.1 renewal configuration file found at
/etc/letsencrypt/renewal/kosmos.social.conf with version 0.31.0 of Certbot.
This might not work.
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal

Adding the -q switch should fix it:

  -q, --quiet           Silence all output except errors. Useful for
                        automation via cron. Implies --non-interactive.
                        (default: False)
Damnit, certbot is using stderr to output warnings, so we got an email when it ran at midnight: ``` ERROR OUTPUT: Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/kosmos.social.conf with version 0.31.0 of Certbot. This might not work. Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal ``` Adding the `-q` switch should fix it: ``` -q, --quiet Silence all output except errors. Useful for automation via cron. Implies --non-interactive. (default: False) ```
raucao commented 2019-06-19 09:36:54 +00:00
Owner
Copy Link

Doing the same thing with systemd timers would be very complex for no reason: https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO

What's complex about that? Looks very straight-forward to me, and can be done once for all our machines via a cookbook.

> Doing the same thing with systemd timers would be very complex for no reason: https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO What's complex about that? Looks very straight-forward to me, and can be done once for all our machines via a cookbook.
greg commented 2019-06-19 12:06:12 +00:00
Author
Owner
Copy Link

You're right, I misunderstood, that would work with the cerbot systemd timer as it is (systemctl status --full certbot will contain the previous error). I'm going to close this and reopen another pull request that does it with a OnFailure section on the certbot service instead

You're right, I misunderstood, that would work with the cerbot systemd timer as it is (`systemctl status --full certbot` will contain the previous error). I'm going to close this and reopen another pull request that does it with a `OnFailure` section on the certbot service instead
greg closed this pull request 2019-06-19 12:06:12 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
service
accounts
Kosmos Accounts
service
discourse
Kosmos Community Forums
service
drone-ci
Kosmos Drone CI
service
email
mail.kosmos.org
service
garage
S3-compatible object storage
service
gitea
Kosmos Gitea
service
ipfs
Kosmos IPFS
service
mastodon
kosmos.social
service
postgres
Database cluster
service
remotestorage
Portable data storage for the Web
service
wiki
Kosmos Wiki
service
xmpp
Kosmos Chat
bug
Something is not working
design
Graphic/visual design
dev environment
Config, builds, CI, deployment, etc.
docs
Documentation
duplicate
This issue or pull request already exists
enhancement
Improving existing functionality
feature
New functionality
good first issue
Dive in, and start contributing
idea
Something to consider
invalid
Not a bug
kredits-1
Small contribution
kredits-2
Medium contribution
kredits-3
Large contribution
on hold
Currently not actionable
ops
Manual IT ops activities
question
Looking for an answer
release
major
release
minor
release
patch
security
All your base are belong to us
ui/ux
User interface, process design, etc.
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
bkero bumi fsmanuel galfert greg hueso raucao slvrbckt
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kosmos/chef#68
No description provided.
Delete Branch "bugfix/3-certbot_email_notifications"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?