Closed
Description
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 3.8.7
- Ruby: 2.1.5
- Distribution: Debian 8.7
- Module version: 1.0.0
How to reproduce (e.g Puppet code you use)
We changed the certonly plugin from standalone to webroot and the module seems to be trying to regenerate the certs during the puppet run.
However, since the certificates already exist, letsencrypt-auto is prompting for user input, upon which the puppet run fails.
Running the script manually and selecting option 1 (keep existing certificates) did not improve the situation. How does the puppet module know whether to generate certificates or only run the renew cron job but not the certonly script?
What are you seeing
[…]
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Creating virtual environment...
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Updating letsencrypt and virtual environment dependencies.......
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Running with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt --agree-tos certonly -a webroot --webroot-path /var/tmp/letsencrypt -d domain.tld --webroot-path /var/tmp/letsencrypt -d my.domain.tld --webroot-path /var/tmp/letsencrypt -d cms.domain.tld --webroot-path /var/tmp/letsencrypt -d www.domain.tld
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Cert not yet due for renewal
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns:
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: (ref: /etc/letsencrypt/renewal/my.domain.tld-0002.conf)
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns:
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: What would you like to do?
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: -------------------------------------------------------------------------------
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: 1: Keep the existing certificate for now
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: 2: Renew & replace the cert (limit ~5 per 7 days)
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: -------------------------------------------------------------------------------
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Select the appropriate number [1-2] then [enter] (press 'c' to cancel): An unexpected error occurred:
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: EOFError: EOF when reading a line
Notice: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: Please see the logfiles in /var/log/letsencrypt for more details.
Error: /opt/letsencrypt/letsencrypt-auto --agree-tos certonly -a webroot --webroot-path /var/tmp/letsencrypt -d domain.tld --webroot-path /var/tmp/letsencrypt -d my.domain.tld --webroot-path /var/tmp/letsencrypt -d cms.domain.tld --webroot-path /var/tmp/letsencrypt -d www.domain.tld returned 1 instead of one of [0]
Error: /Stage[main]/Profile::Letsencrypt/Letsencrypt::Certonly[my.domain.tld]/Exec[letsencrypt certonly my.domain.tld]/returns: change from notrun to 0 failed: /opt/letsencrypt/letsencrypt-auto --agree-tos certonly -a webroot --webroot-path /var/tmp/letsencrypt -d domain.tld --webroot-path /var/tmp/letsencrypt -d my.domain.tld --webroot-path /var/tmp/letsencrypt -d cms.domain.tld --webroot-path /var/tmp/letsencrypt -d www.domain.tld returned 1 instead of one of [0]
Notice: /Stage[main]/Profile::Letsencrypt/Module::Letsencrypt::Dhparam[my.domain.tld]/Dhparam[/etc/letsencrypt/live/domain.tld/dhparam.pem]: Dependency Exec[letsencrypt certonly my.domain.tld] has failures: true
Warning: /Stage[main]/Profile::Letsencrypt/Module::Letsencrypt::Dhparam[my.domain.tld]/Dhparam[/etc/letsencrypt/live/domain.tld/dhparam.pem]: Skipping because of failed dependencies
What behaviour did you expect instead
letsencrypt-auto certonly should not be run or should interact with the prompt.
Output log
See above
Metadata
Assignees
Labels
No labels