244922 – security/lego: Setup instructions/scripts doesn't match

Bug 244922 - security/lego: Setup instructions/scripts doesn't match

Summary: security/lego: Setup instructions/scripts doesn't match

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-03-19 20:53 UTC by Daniel Engberg
Modified:	2021-01-27 09:57 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	matt: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Engberg freebsd_committer

2020-03-19 20:53:08 UTC

Something seems to have changed between versions:

The certificates are generated using the deploy.sh script

--== lego.sh ==--
BASEDIR="/usr/local/etc/lego"
SSLDIR="/usr/local/etc/ssl/lego"
DOMAINSFILE="${BASEDIR}/domains.txt"

--== deploy.sh ==--
SSLDIR="/usr/local/etc/ssl"

--== periodic.conf ==--
weekly_lego_enable="YES"
weekly_lego_renewscript="/usr/local/etc/lego/lego.sh"
weekly_lego_deployscript="/usr/local/etc/lego/deploy.sh"
weekly_output=/var/log/weekly.log

Running periodic weekly show this:

Checking Let's Encrypt certificate status:
Deploying Let's Encrypt certificates:
cp: /usr/local/etc/ssl/certs/domain1.crt: No such file or directory
cp: /usr/local/etc/ssl/private/domain1.key: No such file or directory
cp: /usr/local/etc/ssl/certs/domain2.crt: No such file or directory
cp: /usr/local/etc/ssl/private/domain2.key: No such file or directory

These files are located in /usr/local/etc/ssl/lego/certificates/ without any sub directories:

-rw-------  1 _lego  _lego  3332 Mar 19 17:56 domain1.crt
-rw-------  1 _lego  _lego  1648 Mar 19 17:56 domain1.issuer.crt
-rw-------  1 _lego  _lego   239 Mar 19 17:56 domain1.json
-rw-------  1 _lego  _lego   288 Mar 19 17:56 domain1.key
-rw-------  1 _lego  _lego  3336 Mar 19 17:56 domain2.crt
-rw-------  1 _lego  _lego  1648 Mar 19 17:56 domain2.issuer.crt
-rw-------  1 _lego  _lego   241 Mar 19 17:56 domain2.json
-rw-------  1 _lego  _lego   288 Mar 19 17:56 domain2.key

Perhaps I'm missing something obvious here?

Comment 1 Daniel Engberg freebsd_committer

2020-03-19 20:56:09 UTC

...and I should of course also add version used, 3.4.0.
I apologize missing that crucial information.

Comment 2 Matthew Horan 2020-03-22 19:14:45 UTC

(In reply to daniel.engberg.lists from comment #1)

Thanks for the report! I think this is just the deploy script failing (lego itself is fine). It looks like the deploy script presumes that /usr/local/etc/ssl/{certs,private} directories exist. Can you try creating those and then run periodic?

Comment 3 Daniel Engberg freebsd_committer

2020-03-23 07:43:49 UTC

Hi,

Yes, that seems to have fixed the issue.

Thanks,
Daniel

Comment 4 Daniel Engberg freebsd_committer

2020-04-24 19:07:14 UTC

Is this fixed in 3.6.0?

Comment 5 Matthew Horan 2020-04-24 19:27:13 UTC

(In reply to daniel.engberg.lists from comment #4)
No changes from 3.6.0 are specific to this issue; just an upstream version bump.

To resolve this issue in the port, I would have to modify the port to create the certs and private directories. However, the deploy script is really intended as a sample as I don't want to dictate where/how the certs are deployed. It also presumes that you're running nginx, which might not be the case (I'm using lego to generate certs for ircd.)

Alternatively, I could update the pkg-message to state that the certs and private directories must be created / set up as appropriate, if the deploy script is used without modification.

Comment 6 Daniel Engberg freebsd_committer

2021-01-27 09:57:56 UTC

I guess we can close this by now