Skip to content

Commit

Permalink
[Windows] Avoid letsencrypt.log permissions error during scheduled ce…
Browse files Browse the repository at this point in the history 
…rtbot renew task (certbot#7537)

While coding for certbot#7536, I ran into another issue. It appears that Certbot logs generated during the scheduled task execution have wrong permissions that make them almost unusable: they do not have an owner, and their ACL contains nonsense values (non existant accounts name).

The class `logging.handler.RotatingFileHandler` is responsible for these logs, and become mad when it is in a Python process run under a scheduled task owned by `SYSTEM`. This is precisely our case here.

This PR avoids (but not fix) the issue, by changing the owner of the scheduled task from `SYSTEM` to the `Administrators` group, that appears to work fine.

* Use Administrators group instead of SYSTEM to run the certbot renew task
  • Loading branch information
@adferrand @bmw
adferrand authored and bmw committed Nov 13, 2019
1 parent 75acdeb commit 595b1b2
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions windows-installer/renew-up.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ $action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfil
$delay = New-TimeSpan -Hours 12
$triggerAM = New-ScheduledTaskTrigger -Daily -At 12am -RandomDelay $delay
$triggerPM = New-ScheduledTaskTrigger -Daily -At 12pm -RandomDelay $delay
# NB: For now scheduled task is set up under SYSTEM account because Certbot Installer installs Certbot for all users.
# NB: For now scheduled task is set up under Administrators group account because Certbot Installer installs Certbot for all users.
# If in the future we allow the Installer to install Certbot for one specific user, the scheduled task will need to
# switch to this user, since Certbot will be available only for him.
$principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount -RunLevel Highest
$adminsSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$adminsGroupID = $adminsSID.Translate([System.Security.Principal.NTAccount]).Value
$principal = New-ScheduledTaskPrincipal -GroupId $adminsGroupID -RunLevel Highest
Register-ScheduledTask -Action $action -Trigger $triggerAM,$triggerPM -TaskName $taskName -Description "Execute twice a day the 'certbot renew' command, to renew managed certificates if needed." -Principal $principal

0 comments on commit 595b1b2

Please sign in to comment.