search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.34k stars 4.97k forks source link

No domain.conf update, old create/renew dates, SIGPIPE signal in log #2814

Open Snousmoumryk opened 4 years ago

Snousmoumryk commented 4 years ago

Steps to reproduce

FreeBSD 11.3
acme.sh v2.8.6

Webroot mode, multiple domains

Command line in script which is called via cron

#!/bin/sh
su -m acme -c '/<...>/acme.sh --cron --home /<...>/acme'

Debug log

Log file tail

...
-----END CERTIFICATE-----'
[] Found cert chain
[] _end_n='34'
[] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/<...>'
[] Cert success.
[] Your cert is in  /<...>/acme/example.tld/example.tld.cer 
[] Return code: 141
[] Error renew example.tld.

Actually certificates are renewed and could be deployed with no errors. All files in /<...>/acme/example.tld/ directory have their modification date updated (excluding example.tld.key).

But variables in example.tld.conf file

are not updated and contain old numbers.

How to eliminate SIGPIPE signal during acme.sh execution and get variables updated?

Neilpang commented 4 years ago

can you please provide log with --debug 2 ?

Snousmoumryk commented 4 years ago

can you please provide log with --debug 2 ?

Here is acme.sh.log.zip Attached log file starts when previous cron job skipped renew task.

Web server is based on the XigmaNAS project software (FreeBSD embedded).

Snousmoumryk commented 4 years ago

@Neilpang I did additional tests in Let's Encrypt staging environment. Original acme.sh and its two modified versions were run under three different conditions.

Modifications

Conditions

Test results orig xtrace bash->sh
no redirection SIGPIPE error Not executed No error
>file No error, but cert in file Not executed, empty file No error, but cert in file
>file 2>&1 No error, but cert in file No error, but cert in file No error, but cert in file

Assumptions It looks as if acme.sh has an error with the output file descriptors at some point. And SIGPIPE error appears for the bash interpreter only, while for native FreeBSD sh this error does not exist.

Neilpang commented 4 years ago

@Snousmoumryk
Thanks for your report. I will take a look soon.

Snousmoumryk commented 4 years ago

@Neilpang I did some more tests to further investigate acme.sh strange behavior in XigmaNAS custom FreeBSD kernel environment. This time I used /dev/null redirection and two options for calling acme.sh using su and sudo.

Conditions

Test results su sudo
no redirection SIGPIPE error SIGPIPE error
acme.sh > No error No error
su/sudo > No error No error

Notes Additional info about test conditions specific to XigmaNAS FreeBSD instance.

  1. Error after server start and call via cron.
  2. No error if acme.sh runs in CLI.
  3. Error after cron restart in CLI and call via cron.
  4. No error after cron restart in XigmaNAS webUI and call via cron.
Snousmoumryk commented 4 years ago

@Neilpang After some discussion with XigmaNAS development team, it turns out the root cause of the issue is as follows.

  1. FreeBSD local mail subsystem is not configured in XigmaNAS system by design.
  2. At run time acme.sh script outputs some data (cert content) to STDOUT, which is not expected with --cron command line option.
  3. System cron tries to send any of STDOUT and STDERR acme.sh output via mail, except it's redirected.
  4. Because local mail is not configured, the mail utility, invoked by cron, dies while script is still running, which causes broken pipe (SIGPIPE) error.

A solid workaround is to redirect acme.sh script output to >/dev/null 2>&1.

It seems this issue is specific to XigmaNAS system only, otherwise there would be numerous issue reports in different use cases.