[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #35 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #34 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #33 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #32 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 Fedora Update System changed: What|Removed |Added Status|ON_QA |CLOSED Resolution|--- |ERRATA Last Closed||2016-10-16 14:52:16 --- Comment #31 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #30 from Stuart D Gathman --- The README advises using semanage to label /var/lib/acme/certs as cert_t so that dovecot and others can use the certs directly. But the package should provide for this. Possible solutions: a) run semanage fcontext during (pre-)installation. b) ask selinux policy to label /var/lib/acme as cert_t c) Have package install a /etc/pki/acme directory owned by acme, which will then be cert_t. o) Moving /var/lib/acme to /etc/pki/acme is not optimal for two reasons: 1) a pain for existing users (including me!) 2) makes acme-tiny unusable by systems that keep /etc readonly during normal operation. o) The cron script could update certs in *both* /etc/pki/acme and /var/lib/acme d) Investigate using the /var/lib/letsencrypt directory used by certbot. o) Don't want both systems trying to renew the same certs. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #29 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-cb6cac6026 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #28 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1868cc9f1b -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #27 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-35ee682c26 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #26 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f5a987216a -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 Fedora Update System changed: What|Removed |Added Status|POST|ON_QA --- Comment #25 from Fedora Update System --- acme-tiny-0.1-10.20160810git5a7b4e7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b72c96ecee -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #24 from Jon Ciesla --- Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/acme-tiny -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #23 from Stuart D Gathman --- Oh my. I didn't see that the package was approved! I'll address those nits and get it out there. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #22 from Zbigniew Jędrzejewski-Szmek --- Ping? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 Zbigniew Jędrzejewski-Szmek changed: What|Removed |Added Status|ASSIGNED|POST Flags|fedora-review? |fedora-review+ --- Comment #21 from Zbigniew Jędrzejewski-Szmek --- New packages cannot be added for Fedora 22, so the check '%if 0%{?fedora} > 22' can be simplified to '%if 0%{?fedora}'. + package name is OK + license is acceptable (MIT) + license is specified correctly + latest version + provides/requires/buildrequires are specified correctly + package builds and installs OK + rpmlint is OK (see below) + scriptlets look sane rpmlint: acme-tiny.noarch: W: spelling-error Summary(en_US) Auditable -> Audi table, Audi-table, Audit able acme-tiny.noarch: W: spelling-error %description -l en_US auditable -> audit able, audit-able, editable "auditable" is a neologism, but OK. acme-tiny.noarch: W: incoherent-version-in-changelog 0.1-9 ['0.1-9.git5a7b4e7.fc24', '0.1-9.git5a7b4e7'] Please make sure this is OK when the package is built. acme-tiny.noarch: W: non-standard-uid /var/lib/acme/private acme acme-tiny.noarch: W: non-standard-gid /var/lib/acme/private acme acme-tiny.noarch: E: non-standard-dir-perm /var/lib/acme/private 700 acme-tiny.noarch: W: non-standard-uid /var/www/challenges acme acme-tiny.noarch: W: non-standard-gid /var/www/challenges acme acme-tiny.noarch: W: non-standard-uid /var/lib/acme/lets-encrypt-x3-cross-signed.pem acme acme-tiny.noarch: W: non-standard-gid /var/lib/acme/lets-encrypt-x3-cross-signed.pem acme acme-tiny.noarch: W: pem-certificate /var/lib/acme/lets-encrypt-x3-cross-signed.pem acme-tiny.noarch: W: non-standard-uid /var/lib/acme/csr acme acme-tiny.noarch: W: non-standard-gid /var/lib/acme/csr acme acme-tiny.noarch: W: non-standard-uid /var/lib/acme acme acme-tiny.noarch: W: non-standard-gid /var/lib/acme acme acme-tiny.noarch: W: non-standard-uid /var/lib/acme/certs acme acme-tiny.noarch: W: non-standard-gid /var/lib/acme/certs acme Those are OK. acme-tiny.noarch: W: no-manual-page-for-binary acme_tiny acme-tiny.noarch: W: no-manual-page-for-binary acme-tiny-sign acme-tiny.noarch: W: no-manual-page-for-binary acme-tiny acme-tiny.noarch: W: no-manual-page-for-binary cert-check Not needed, docs are provided in READMEs. 1 packages and 0 specfiles checked; 1 errors, 20 warnings. Package is APPROVED. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #20 from Zbigniew Jędrzejewski-Szmek --- Sorry for the delay. I'll be offline a few days, but I should get back to this next week. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #19 from Stuart D Gathman --- On generic solution to programs like sendmail is to drop an incrontab in /etc/incron.d/acme that copies any updated files in /var/lib/acme/certs to /etc/pki/tls/acme-certs. Then apps can all get their certs from /etc/pki/tls. Is that acceptable without a dependency? incron is insecure by default - you have to echo root >/etc/incron.allow -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #18 from Stuart D Gathman --- Testing with sendmail reveals a minor problem: Aug 23 16:19:41 mail sendmail[6198]: STARTTLS=server: file /var/lib/acme/certs/mail.crt unsafe: Permission denied sendmail doesn't like the cert being writable by other. This seems overly paranoid - the key is a separate config and is secure. I'm not thinking of a simple way for acme-tiny to facilitate sendmail - the simplest seems to be a root cron script that copies the mail crt when it changes. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #17 from Stuart D Gathman --- Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-9.git5a7b4e7.fc23.src.rpm I provided symlinks for acme-tiny and acme-tiny-sign, and followed all the rest of your recommendations (I think - patched acme-tiny to suppress tracebacks, devs can uncomment one line to get them back), except for %autosetup. I really like having each patch make named backup files, so updating a patch is easy. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #16 from Stuart D Gathman --- Actually, the top level exception is extremely clear: ValueError: Wrote file to /var/www/challenges/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA, but couldn't download http://fedora24.in.waw.pl/.well-known/acme-challenge/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA So suppressing the traceback might be slightly friendlier, but the error message is very good. (The test system didn't have the web server configured for the fedora24.in.waw.pl domain.) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #15 from Stuart D Gathman --- The tracebacks are a tough one, as that will require another mod to upstream. acme-tiny is becoming acme not as tiny but more friendly. I had hoped to keep the core script relatively unchanged, and just add the timers, directories, etc that make it actually usable. Generating FQDN csr is a no go. We really don't know what the user will want, e.g. you typically want a list of domains on the cert for a web page. (DNS:example.com,DNS:www.example.com) However, another auxiliary script in the package to auto-gen a guessed CSR for a typical web page use might be in order down the road. I'll fix bombing on no csrs, and see if there is something simple to do about the tracebacks from the upstream script. And I'm on board with renaming the core script - I originally named it acme-tiny, but upstream names it acme_tiny, and I thought maybe I should follow suit. Link both names? It does say where it is trying to connect, BTW: Verifying fedora24.in.waw.pl.. Maybe it will only be a few lines to add a --quiet flag that suppresses the traceback and only shows the top level exception. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #14 from Zbigniew Jędrzejewski-Szmek --- There's also https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup. You might want to look at that, although I don't see much benefit in splitting this initial setup in case of acme-tiny. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #13 from Zbigniew Jędrzejewski-Szmek --- It's simpler to use: %{?systemd_requires} [https://fedoraproject.org/wiki/Packaging:Scriptlets#Systemd] The scriptlets should refer to both units (acme-tiny.service and acme-tiny.timer). At least because when the package is uninstalled, both must be disabled and stopped. Please add to the .service unit file: [Install] Also=acme-tiny.timer This will make 'systemctl enable acme-tiny' do the expected thing. WantedBy=network.target is wrong. It should be WantedBy=timers.target, which is the normal setting (see systemd.special(7)). If you want, you can add "After=httpd.service nginx.service" to acme-tiny.service. (If those services are not installed or not started, this line will have no effect.) When systemd is used, the dependency on cronie should be dropped. The mention of cron in %description should be removed too. Drop the dependency on python. It'll be generated automatically (and correctly, i.e. for python3). I think Suggests: httpd, mod_ssl, Enhances: httpd, mod_ssl, and maybe similarly for nginx should be added. %setup + %patch0 -p1 → %autosetup -p1 ;) Any chance I could convince you to rename the executable to acme-tiny? Having cert-check and acme_tiny is ugly. It's also less confusing when the main binary matches the package name. I think you should provide a Fedora-specific instructions. Upstream README contains a lot of non-relevant information about how to create a cron script, how to invoke the python script, etc. Also the paths are fixed (/var/lib/acme/*), and it would be easier if the instructions referred to them. I started the service without creating any configuration. It failed: Aug 22 04:43:59 fedora24 systemd[1]: Starting Check for acme certs about to expire... Aug 22 04:43:59 fedora24 acme-tiny[15288]: Generating RSA private key, 4096 bit long modulus Aug 22 04:43:59 fedora24 acme-tiny[15288]: ..++ Aug 22 04:44:00 fedora24 acme-tiny[15288]: ...++ Aug 22 04:44:00 fedora24 acme-tiny[15288]: e is 65537 (0x10001) Aug 22 04:44:00 fedora24 acme-tiny[15288]: acme_tiny --account-key private/account.key --csr csr/*.csr --acme-dir /var/www/challenges/ --out certs/*.crt Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing account key... Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing CSR... Aug 22 04:44:00 fedora24 acme-tiny[15288]: Traceback (most recent call last): Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 213, in Aug 22 04:44:00 fedora24 acme-tiny[15288]: main(sys.argv[1:]) Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 209, in main Aug 22 04:44:00 fedora24 acme-tiny[15288]: signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, chain=args.chain) Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 70, in get_crt Aug 22 04:44:00 fedora24 acme-tiny[15288]: raise IOError("Error loading {0}: {1}".format(csr, err)) Aug 22 04:44:00 fedora24 acme-tiny[15288]: OSError: Error loading csr/*.csr: b"csr/*.csr: No such file or directory\n139718301902712:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('csr/*.csr','r')\n139718301902712:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\n" Aug 22 04:44:00 fedora24 systemd[1]: Started Check for acme certs about to expire. It looks like the script does not report failure properly. It should also report the error in a more readable way. I don't think the stack trace is useful. In /var/lib/acme/certs/ I have a file called '*.tmp'. This does not look right ;) Next, I created a file called /var/lib/acme/csr/domain.csr. I restarted the service, but again it failed, this time because I haven't actually started a http server. The failure is expected, but the reporting could be improved: Aug 22 05:23:02 fedora24 systemd[1]: Starting Check for acme certs about to expire... Aug 22 05:23:02 fedora24 acme-tiny[15371]: acme_tiny --account-key private/account.key --csr csr/domain.csr --acme-dir /var/www/challenges/ --out certs/domain.crt Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing account key... Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing CSR... Aug 22 05:23:02 fedora24 acme-tiny[15371]: Registering account... Aug 22 05:23:03 fedora24 acme-tiny[15371]: Registered! Aug 22 05:23:03 fedora24 acme-tiny[15371]: Verifying fedora24.in.waw.pl... Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last): Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 1240, in do_open Aug 22 05:23:03 fedora24 acme-tiny[15371]: h.request(req.get_method(), req.selector, req.data, headers) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 1083, in request Aug 22 05:23:03 fedora24
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #12 from Stuart D Gathman --- Works! https://nyc.gathman.org/ (note signed by letsencrypt.org) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #11 from Stuart D Gathman --- Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-8.git5a7b4e7.fc23.src.rpm It is still out for testing on my local repo - going to do an end-to-end (do the whole process of registering the cert and running the check script from cron) on an f23 server. Only tested end-to-end on el6 so far. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #10 from Zbigniew Jędrzejewski-Szmek --- cert-chain-resolver is 150 lines, so making a package out of it seems a bit overkill. OTOH, it is a separate project. I don't know what the best solution is here. OK, so you fixed python3 support. Now you should make the Fedora version use python3 ;) https://fedoraproject.org/wiki/Packaging:Python#Python_Version_Support says "If a piece of software supports python3, it must be packaged for python3.". We really shouldn't be adding more python2 stuff if we can avoid it. Also, I'll reiterate the request to switch from cron to systemd timers: the overhead is lower (less dependencies, less logs, less processes), and switching from cron to systemd units is awkward, it can only be done between releases, and the information whether a service was enabled or disabled is lost. So it's better to do it properly from the start, i.e. use a systemd timer. I expect the ones I pasted above to work without any issues. You should include %shortcommit in the release tag [https://fedoraproject.org/wiki/Packaging:Naming?rd=Packaging:NamingGuidelines#Post-Release_packages]. Something like this works nicely to switch back and forth between tags and releases: %global gitcommit ea683512f9b82f2257770f0ed56d819eea230fc2 %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} Version:123 Release:4%{?gitcommit:.git%{gitcommitshort}}%{?dist} -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #9 from Stuart D Gathman --- Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-6.el6.src.rpm Tested cert-check with python3 AND committed it this time. Made /var/lib/acme readable by all except private. Removed env from acme-tiny. Updated patch to leave default behavior unchanged. Still thinking about leaving acme-tiny really unchanged and include cert-chain-resolver (or make that another package). -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #8 from Stuart D Gathman --- Arrgh. I *did* test cert-check.py with python3, but neglected to commit the changes... -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #7 from Stuart D Gathman --- Thanks - I'll fix the cert-check script, and I can test it on python3. Also, after some discussion on the acme-tiny github page, I will be removing or changing the patch to append intermediate certs. The package promises to "use the upstream acme-tiny". The patch changes the default semantics, and some applications depend on acme-tiny outputting *only* the one cert. Options are: 1) Include or depend on https://github.com/muchlearning/cert-chain-resolver-py This not only downloads intermediate certs, but does a lot of sanity checking. 2) Modify the patch to add an option flag to append intermediate certs, thus leaving the default behavior unchanged. The intermediate certs are included in the acme response in any case, it is just a matter of whether to extract and append them. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 Zbigniew Jędrzejewski-Szmek changed: What|Removed |Added Status|NEW |ASSIGNED Assignee|nob...@fedoraproject.org|zbys...@in.waw.pl Flags||fedora-review? --- Comment #6 from Zbigniew Jędrzejewski-Szmek --- /usr/sbin/acme_tiny has '#!/usr/bin/env python', it should use system python, i.e. %{__python2}. It cannot work with python3, cert-check has old exception syntax. Systemd units would be: # acme-tiny.timer [Unit] Description=Periodic renewal of Let's Encrypt certificates [Timer] OnCalendar=daily Persistent=yes [Install] WantedBy=timers.target # acme-tiny.service [Unit] Description=Renewal of Let's Encrypt certificates [Service] Type=oneshot User=acme ExecStart=/usr/libexec/acme-tiny/sign PrivateTmp=true ProtectHome=yes ProtectSystem=full [Install] Also=acme-tiny.timer -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #5 from Stuart D Gathman --- Note to reviewers: the python scripts are intended to run on either python2 or python3 - hence it uses the default python. I haven't tested it thoroughly with python3 yet, however. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #4 from Stuart D Gathman --- (In reply to Zbigniew Jędrzejewski-Szmek from comment #2) > For Fedora it would be nice to replace the cron script with a systemd > timer+service. Cron scripts are more heavyweight, require crond to be I will put that on the list, but I don't know how to do that yet. It is easy enough to use the crontab only for el6. (I assume el7 also has timer+service.) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #3 from Stuart D Gathman --- Why acme-tiny and not the existing certbot package? Certbot is an all singing, all dancing, configure your web server for you (with plugins for various web servers), ACME client plus general cert management tool. Let's Encrypt is a web service using the ACME protocol. Acme-tiny is a tiny ACME client that doesn't do all that stuff - because it only needs to be done once, so it is a really bad idea to have some generic script editing your configuration (and who knows what else hidden among all that code). Plus, certbot needs root access to your system. Acme-tiny does not. It runs as the acme user, and only has access to csrs you give it, certs it signs, and the Let's Encrypt account key (when using letsencrypt to sign). In summary, IMO certbot is targeting the wrong audience. The people that would need certbot to do all that one time configuration for them probably aren't running a web server to begin with. But I could be wrong. There are a lot of non-technical Fedora users, that just may in fact run web servers and appreciate certbot. With the apache drop-in I provide in acme-tiny, 99% of apache configurations work out of the box anyway. You only need to adjust the config if you use deny all inside a (which overrides the global acme-challenge config). In summary: letsencrypt is a web service. ACME is a wire protocol. certbot is a bloated client implementation of ACME. acme-tiny is a lean and mean client implementation. My acme-tiny package adds pre-made directories, user, and a tiny cron script so that everything mostly works out of the box. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 Zbigniew Jędrzejewski-Szmek changed: What|Removed |Added CC||zbys...@in.waw.pl --- Comment #2 from Zbigniew Jędrzejewski-Szmek --- For Fedora it would be nice to replace the cron script with a systemd timer+service. Cron scripts are more heavyweight, require crond to be running, and leave much more logs. In addition, you could use stuff like ProtectHome=yes, etc, and users will be able to enable/disable this using presets, which is nicer for automatic deployments. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org
[Bug 1366355] Review Request: acme-tiny - Tiny auditable ACME script for Let's Encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #1 from Stuart D Gathman --- Spec URL: http://gathman.org/linux/SPECS/acme-tiny.spec SRPM URL: http://gathman.org/linux/el6/src/acme-tiny-0.1-5.el6.src.rpm New release out for testing on local repo. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list package-review@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org