Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1839904

Summary: apachectl graceful interfering with verifying next cert to be signed
Product: [Fedora] Fedora EPEL Reporter: Stuart D Gathman <stuart>
Component: acme-tinyAssignee: Stuart D Gathman <stuart>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: epel7CC: stuart
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: acme-tiny-4.1.0-7.fc34 acme-tiny-4.1.0-7.fc33 acme-tiny-4.1.0-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-28 01:31:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proof of concept for compatible daemon kicker when acme-tiny updates certs none

Description Stuart D Gathman 2020-05-25 23:22:51 UTC 
Description of problem:
Cert fails to be signed because httpd does not respond to request to verify control of domain

Version-Release number of selected component (if applicable):
acme-tiny-4.1.0-1.el7.noarch

How reproducible:
Random, needs 3 or more certs to be signed in a day to be likely

Steps to Reproduce:
1. enable acme-tiny timer
2. have 3 or more certs to be signed the same day
3.

Actual results:
First few certs are signed, then one fails because httpd does not respond

Expected results:
All certs in expiration window are signed.

Additional info:
As certs are signed, incrond runs /etc/acme-tiny/notify.sh which does "apachectl graceful" for certs just signed.  This seems to sometimes interfere briefly with new requests.
Comment 1 Stuart D Gathman 2020-05-25 23:49:16 UTC 
The jilted certs will get signed the next day, and thus, the problem will correct itself.
Comment 2 Stuart D Gathman 2021-05-27 20:59:13 UTC 
In addition, kicking apache/dovecot/sendmail does not happen out of the box.  User has to read the README for fedora and install incrond.  I think with systemd, I can have another one-shot service run after acme-tiny.  This will avoid needing to install anything additional.  Comparing dates on certs will only happen once a day, so not a performance problem.  It will avoid kicking the daemons until After all the certs are signed.
Comment 3 Stuart D Gathman 2021-05-27 21:01:58 UTC 
Created attachment 1787693 [details]
Proof of concept for compatible daemon kicker when acme-tiny updates certs
Comment 4 Stuart D Gathman 2021-05-28 04:38:36 UTC 
Pushed a new version to rawhide.  Accidentally also pushed to f33, so pushed to f34 as well and will accelerate testing.  I will roll out on some lightly used production servers.
Comment 5 Fedora Update System 2021-06-19 23:02:23 UTC 
FEDORA-EPEL-2021-551ec36d33 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33
Comment 6 Fedora Update System 2021-06-19 23:19:09 UTC 
FEDORA-2021-be8fcce052 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052
Comment 7 Fedora Update System 2021-06-19 23:19:10 UTC 
FEDORA-2021-cb636961f0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0
Comment 8 Fedora Update System 2021-06-20 01:25:24 UTC 
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-be8fcce052`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-be8fcce052

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-06-20 01:25:25 UTC 
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-551ec36d33

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-06-20 01:57:32 UTC 
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cb636961f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cb636961f0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2021-06-28 01:31:11 UTC 
FEDORA-2021-be8fcce052 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2021-06-28 01:43:23 UTC 
FEDORA-2021-cb636961f0 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2021-07-05 01:20:43 UTC 
FEDORA-EPEL-2021-551ec36d33 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.