Some certboot issue

zarianu · March 15, 2025, 5:26pm

Hello dear sirs,

I’m using VyOS 1.5-rolling-202501110007 as a Remote Access VPN server (OpenConnect) with HTTPS certificate from Let’s encrypt. Everything works like a charm and I can see in logs that certificate is renewed by systemd certbot.timer.

$ show pki certificate 
Certificates:
Name              Type    Subject CN        Issuer CN    Issued               Expiry               Revoked    Private Key    CA Present
----------------  ------  ----------------  -----------  -------------------  -------------------  ---------  -------------  --------------------------------
LE-vpn.xxxxxx.xx  Server  CN=vpn.xxxxxx.xx  CN=R10       2025-03-15 16:02:17  2025-06-13 16:02:16  No         Yes            Yes (AUTOCHAIN_LE-vpn.xxxxxx.xx)

But I see some error in logs:

Mar 15 20:00:49 vpn certbot[3832988]: Hook 'post-hook' reported error code 2
Mar 15 20:00:49 vpn certbot[3832988]: Hook 'post-hook' ran with error output:
Mar 15 20:00:49 vpn certbot[3832988]:  /opt/vyatta/share/vyatta-cfg/functions/interpreter/vyatta-cfg-run: line 162: `vyatta_config_commit-confirm': not a valid identifier

And OpenConnect actually uses old but not renewed certificate (and I see old cert in browser while connecting to host using HTTPS):

$ openssl x509 -in /run/ocserv/cert.pem -noout -dates | grep After
notAfter=Apr 14 12:33:45 2025 GMT

I think that problem will go away after another commit of config so that’s why I report it here now. What other diagnostics should I do and attach here?

Thanks for your business and such a great product, as always

Regards,
Konstantin

c-po · March 15, 2025, 10:10pm

Thanks for reporting. Tracked via ⚓ T7249 certbot: When using ACME certificates, consuming daemons are not reloaded on update

zarianu · March 16, 2025, 4:08am

Thanks for your prompt response, looking forward to the fix

And one more thing - as I understand ocserv restart is needed afrter cert renewal but it’s not a great idea to restart it automatically in production environment. What about notification? Dynamic MOTD message maybe?

Regards,
Konstantin

c-po · March 16, 2025, 7:49pm

@zarianu that is an excellent question.

If the cert is expired no new users can connect. If you restart the daemon new users can connect but old ones get disconnected - so there are two contradicting use-cases. As the cert renew implementation will keep the fundamental logic “as is” like a regular 3rd party certificate is replaced I am currently not spending too much thought at it.

Getting the ACME stuff in automatically is a challenge on its own

Lets work on one thing at a time.

zarianu · March 16, 2025, 10:32pm

@c-po cert is renewed 30 days before expiration of the old one so there’s plenty of time for planning short service interruption.

But you’re right - one thing at a time

c-po · March 18, 2025, 3:13pm

Fixed in pki: T7249: fix shebang to support CLI backend by c-po · Pull Request #4405 · vyos/vyos-1x · GitHub

It will renew the openconnect cert but not restart the daemon

zarianu · March 19, 2025, 2:26am

@c-po thanks for prompt fix!

Will upgrade VyOS closer to cert renewal (installed renewed cert manually this time already).