1.5 rolling replaces symbolic links with files in certbot directory

before upgrade from 1.5-rolling-202501270007 to 1.5-rolling-202501230006 (but also happened in earlier builds)

vyos@PROXIS-SVTELE:~$ sudo ls -als /config/auth/letsencrypt/live/fruity
total 12
4 drwxr-sr-x 2 root vyattacfg 4096 Jan 29 16:44 .
4 drwx--S--- 3 root vyattacfg 4096 Aug  7 13:31 ..
0 lrwxrwxrwx 1 root vyattacfg   49 Jan 29 16:42 cert.pem -> /config/auth/letsencrypt/archive/fruity/cert3.pem
0 lrwxrwxrwx 1 root vyattacfg   50 Jan 29 16:43 chain.pem -> /config/auth/letsencrypt/archive/fruity/chain3.pem
0 lrwxrwxrwx 1 root vyattacfg   54 Jan 29 16:44 fullchain.pem -> /config/auth/letsencrypt/archive/fruity/fullchain3.pem
0 lrwxrwxrwx 1 root vyattacfg   52 Jan 29 16:44 privkey.pem -> /config/auth/letsencrypt/archive/fruity/privkey3.pem
4 -rw-r--r-- 1 root vyattacfg  692 Jan 27 17:21 README
vyos@PROXIS-SVTELE:~$ sudo reboot

after update directory looks like

vyos@PROXIS-SVTELE:~$ sudo ls -als /config/auth/letsencrypt/live/fruity
total 28
4 drwxr-sr-x 2 root vyattacfg 4096 Jan 29 16:44 .
4 drwx--S--- 3 root vyattacfg 4096 Aug  7 13:31 ..
4 -rw-r--r-- 1 root vyattacfg 1773 Jan 30 09:25 cert.pem
4 -rw-r--r-- 1 root vyattacfg 1801 Jan 30 09:25 chain.pem
4 -rw-r--r-- 1 root vyattacfg 3574 Jan 30 09:25 fullchain.pem
4 -rw------- 1 root vyattacfg 1704 Jan 30 09:25 privkey.pem
4 -rw-r--r-- 1 root vyattacfg  692 Jan 30 09:25 README
vyos@PROXIS-SVTELE:~$

after update certbot renew reported error like

Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Processing /config/auth/letsencrypt/renewal/fruity.conf
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Renewal configuration file /config/auth/letsencrypt/renewal/fruity.conf is broken.
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: The error was: expected /config/auth/letsencrypt/live/fruity/cert.pem to be a symlink
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Skipping.
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: No renewals were attempted.
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: No hooks were run.
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Additionally, the following renewal configurations were invalid:
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]:   /config/auth/letsencrypt/renewal/fruity.conf (parsefail)
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: 0 renew failure(s), 1 parse failure(s)
Jan 30 09:41:20 PROXIS-SVTELE certbot[5006]: Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for >
Jan 30 09:41:21 PROXIS-SVTELE systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE

I fail to locate the install script on github but I would expect its the syntax for the cp that takes care of copying the old config dir to the new to deal with symlinks as symlinks and not the target they are pointing to.

indeed…
it is quite easy to fix but someone need to create bug report :slight_smile:

it is also possible to manually fix on postinstall task

sudo rm -f  /config/auth/letsencrypt/live/fruity/*.pem
sudo ln -sf /config/auth/letsencrypt/archive/fruity/cert3.pem /config/auth/letsencrypt/live/fruity/cert.pem
sudo ln -sf /config/auth/letsencrypt/archive/fruity/chain3.pem /config/auth/letsencrypt/live/fruity/chain.pem
sudo ln -sf /config/auth/letsencrypt/archive/fruity/privkey3.pem /config/auth/letsencrypt/live/fruity/privkey.pem
sudo ln -sf /config/auth/letsencrypt/archive/fruity/fullchain3.pem /config/auth/letsencrypt/live/fruity/fullchain.pem

I created this task over at vyos.dev:

2 Likes

And for future reference.

It seems (just a guess) that these functions in https://github.com/vyos/vyos-1x/blob/current/src/op_mode/image_installer.py needs to be updated to take care of this issue:

def copy_preserve_owner(src: str, dst: str, *, follow_symlinks=True):

def copy_previous_installation_data(target_dir: str) -> None:

def copy_previous_encrypted_config(target_dir: str, image_name: str) -> None: