search

jhpyle / docassemble

A free, open-source expert system for guided interviews and document assembly, based on Python, YAML, and Markdown.
https://docassemble.org
MIT License
786 stars 254 forks source link

Updated certbot to avoid x509 version issue #699

Closed BryceStevenWilley closed 1 year ago

BryceStevenWilley commented 1 year ago

One of our servers' TLS cert expired, and it looks like something in certbot was the issue. When I tried running it manually, I got the following error:

Traceback (most recent call last):
  File "/usr/share/docassemble/local3.10/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/_internal/main.py", line 1165, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 341, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/_internal/client.py", line 372, in obtain_certificate
    csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/certbot/crypto_util.py", line 101, in init_save_csr
    csr_pem = acme_crypto_util.make_csr(
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/acme/crypto_util.py", line 252, in make_csr
    csr.set_version(2)
  File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/OpenSSL/crypto.py", line 1016, in set_version
    raise ValueError(
ValueError: Invalid version. The only valid version for X509Req is 0.

Which led to https://github.com/certbot/certbot/issues/9722. Updating to the latest certbot (2.7.0) and re-running it fixed the issue, so I updated that version in the Dockerfile.

Misc question: is there a way to update the certbot and certbot-nginx packages after the Docker image is made? I.e. should those packages be added to setup.py install requires, so people only need to do a python upgrade instead of a system upgrade or manual fix?

jhpyle commented 1 year ago

What version of certbot was installed previously? Version 2.6.0 was released May 9, 2023, so it isn't very old. Another user encountered this issue, but their system version was more than a year old, so they were running certbot version 1.15.0. Upgrading certbot to 2.7.0 should fix the issue when certbot is very old, but I don't know whether 2.6.0 is bad.

For convenience of users I should probably mention certbot in the setup.py file, but it really isn't a dependency of the docassemble Python code in any way, so that seems wrong.

People really ought to do system upgrades regularly because otherwise they aren't getting OS-level security patches, so I'm not sure I should do things to enable people to delay doing their system upgrades.

BryceStevenWilley commented 1 year ago

What version of certbot was installed previously?

I checked and it was previously at 1.15.0 too. I hadn't thought to try upgrading to 2.6.0 first based on what I saw in the linked issue, but I just tried and it works, so you're right, this upgrade doesn't seem to be as necessary as I thought.

I appreciate the thoughts on system upgrades vs in setup.py. You are right that OS security patches are important, I get encouraging people to do that often.