Bug 244922 - security/lego: Setup instructions/scripts doesn't match
Summary: security/lego: Setup instructions/scripts doesn't match
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
Depends on:
Reported: 2020-03-19 20:53 UTC by daniel.engberg.lists
Modified: 2020-04-24 19:27 UTC (History)
1 user (show)

See Also:
matt: maintainer-feedback+


Note You need to log in before you can comment on or make changes to this bug.
Description daniel.engberg.lists 2020-03-19 20:53:08 UTC
Something seems to have changed between versions:

The certificates are generated using the deploy.sh script

--== lego.sh ==--

--== deploy.sh ==--

--== periodic.conf ==--

Running periodic weekly show this:

Checking Let's Encrypt certificate status:
Deploying Let's Encrypt certificates:
cp: /usr/local/etc/ssl/certs/domain1.crt: No such file or directory
cp: /usr/local/etc/ssl/private/domain1.key: No such file or directory
cp: /usr/local/etc/ssl/certs/domain2.crt: No such file or directory
cp: /usr/local/etc/ssl/private/domain2.key: No such file or directory

These files are located in /usr/local/etc/ssl/lego/certificates/ without any sub directories:

-rw-------  1 _lego  _lego  3332 Mar 19 17:56 domain1.crt
-rw-------  1 _lego  _lego  1648 Mar 19 17:56 domain1.issuer.crt
-rw-------  1 _lego  _lego   239 Mar 19 17:56 domain1.json
-rw-------  1 _lego  _lego   288 Mar 19 17:56 domain1.key
-rw-------  1 _lego  _lego  3336 Mar 19 17:56 domain2.crt
-rw-------  1 _lego  _lego  1648 Mar 19 17:56 domain2.issuer.crt
-rw-------  1 _lego  _lego   241 Mar 19 17:56 domain2.json
-rw-------  1 _lego  _lego   288 Mar 19 17:56 domain2.key

Perhaps I'm missing something obvious here?
Comment 1 daniel.engberg.lists 2020-03-19 20:56:09 UTC
...and I should of course also add version used, 3.4.0.
I apologize missing that crucial information.
Comment 2 Matthew Horan 2020-03-22 19:14:45 UTC
(In reply to daniel.engberg.lists from comment #1)

Thanks for the report! I think this is just the deploy script failing (lego itself is fine). It looks like the deploy script presumes that /usr/local/etc/ssl/{certs,private} directories exist. Can you try creating those and then run periodic?
Comment 3 daniel.engberg.lists 2020-03-23 07:43:49 UTC

Yes, that seems to have fixed the issue.

Comment 4 daniel.engberg.lists 2020-04-24 19:07:14 UTC
Is this fixed in 3.6.0?
Comment 5 Matthew Horan 2020-04-24 19:27:13 UTC
(In reply to daniel.engberg.lists from comment #4)
No changes from 3.6.0 are specific to this issue; just an upstream version bump.

To resolve this issue in the port, I would have to modify the port to create the certs and private directories. However, the deploy script is really intended as a sample as I don't want to dictate where/how the certs are deployed. It also presumes that you're running nginx, which might not be the case (I'm using lego to generate certs for ircd.)

Alternatively, I could update the pkg-message to state that the certs and private directories must be created / set up as appropriate, if the deploy script is used without modification.