On the Puppet 5 Server, I've just noticed that every manifest run now fails when your module attempts to renew any certificate that isn't yet near expiration. When I manually execute the failing command, I notice that the result is non-fatal; rather, the user is politely informed when the next renewal time should be. However, because the acme.sh script returns a non-zero exit state -- 2 rather than 0 -- your exec resource mistakes the result as a fatal error.
This line will permit the exec to report a success when the certificate renewal either has actually succeeded (0) or has been deferred to a later date (2).
Steps To Reproduce
This error can be reproduced by:
Build a fresh Puppet 5 Server
Build any other Puppet 5 client node that requests certificates via your module using the DNS-01 mechanism.
Check back the next day (may occur sooner for you, but I happened to notice the issue the next day).
Manually run puppet agent -tv on the Puppet 5 Server to observe the error.
Error Messages
Error: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/account@domain.tld/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]
Error: /Stage[main]/Acme::Request::Handler/Acme::Request[host.domain.tld]/Exec[renew-certificate-host.domain.tld]/returns: change from 'notrun' to ['0'] failed: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/account@domain.tld/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]
Actual Command Output
[Sun Feb 25 03:00:09 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sun Feb 25 03:00:10 UTC 2018] Domains not changed.
[Sun Feb 25 03:00:10 UTC 2018] Skip, Next renewal time is: Fri Mar 23 17:41:34 UTC 2018
[Sun Feb 25 03:00:10 UTC 2018] Add '--force' to force to renew.
Synopsis
On the Puppet 5 Server, I've just noticed that every manifest run now fails when your module attempts to renew any certificate that isn't yet near expiration. When I manually execute the failing command, I notice that the result is non-fatal; rather, the user is politely informed when the next renewal time should be. However, because the acme.sh script returns a non-zero exit state -- 2 rather than 0 -- your
execresource mistakes the result as a fatal error.Possible Fix
To the "renew-certificate-${domain}"
execat https://github.com/fraenki/puppet-acme/blob/master/manifests/request.pp#L272, simply add this additional line:This line will permit the
execto report a success when the certificate renewal either has actually succeeded (0) or has been deferred to a later date (2).Steps To Reproduce
This error can be reproduced by:
puppet agent -tvon the Puppet 5 Server to observe the error.Error Messages
Actual Command Output
Actual Command Exit State