Fix certbot auto-renewal & hands-free cert creation #52
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
This change breaks my ability to enable TLS on my GCP VM with the error service "ropewiki_reverse_proxy" is not running container #1 upon running enable_tls.sh (complete log below). I've confirmed that the head of master still works using the same procedure.
Also, not all sites will want to enable TLS for both the base and www domain names so we should have some setting, prompt, or other input that allows selection of just one of them. This was previously achieved by simply selecting the appropriate sites in certbot.
Following python3 deploy_tool.py gcpdev dc build:
bjpcaltech@gcp-ropewiki-dev:~/rw/app$ python3 deploy_tool.py gcpdev create_db
2023-07-23T20:03:02.630147 Deleting/cleaning up any existing database...
2023-07-23T20:03:02.630362 RUN git log -n 1
2023-07-23T20:03:02.636009 RUN git status
2023-07-23T20:03:02.644569 SCRIPT docker compose -p gcpdev stop ropewiki_db
2023-07-23T20:03:02.644666 RUN sh /home/bjpcaltech/rw/app/docker_compose_command.sh && rm /home/bjpcaltech/rw/app/docker_compose_command.sh
2023-07-23T20:03:02.773471 SCRIPT docker compose -p gcpdev rm -v -f ropewiki_db
2023-07-23T20:03:02.773535 RUN sh /home/bjpcaltech/rw/app/docker_compose_command.sh && rm /home/bjpcaltech/rw/app/docker_compose_command.sh
No stopped containers
2023-07-23T20:03:02.861323 RUN docker volume ls
2023-07-23T20:03:02.886146 RUN docker volume rm ropewiki_database_storage
ropewiki_database_storage
2023-07-23T20:03:02.958391 SCRIPT docker compose -p gcpdev up -d ropewiki_db ropewiki_backup_manager
2023-07-23T20:03:02.958455 RUN sh /home/bjpcaltech/rw/app/docker_compose_command.sh && rm /home/bjpcaltech/rw/app/docker_compose_command.sh
[+] Building 0.0s (0/0)
[+] Running 4/4
? Network gcpdev_default Created 0.1s
? Volume "ropewiki_database_storage" Created 0.0s
? Container gcpdev-ropewiki_db-1 Started 0.6s
? Container gcpdev-ropewiki_backup_manager-1 Started 1.1s
2023-07-23T20:03:04.325934 >> Waiting for MySQL database to initialize...
2023-07-23T20:03:09.331241 RUN docker inspect --format "{{.State.Status}}" gcpdev-ropewiki_db-1
2023-07-23T20:03:09.370151 DB status: running
2023-07-23T20:03:09.370384 RUN docker container logs gcpdev-ropewiki_db-1
2023-07-23T20:03:09.402677 Ready count: 1
2023-07-23T20:03:19.412985 RUN docker inspect --format "{{.State.Status}}" gcpdev-ropewiki_db-1
2023-07-23T20:03:19.445016 DB status: running
2023-07-23T20:03:19.445181 RUN docker container logs gcpdev-ropewiki_db-1
2023-07-23T20:03:19.480146 Ready count: 2
2023-07-23T20:03:19.480402 >> Creating empty ropewiki database...
2023-07-23T20:03:19.480568 RUN docker container exec gcpdev-ropewiki_db-1 mysqladmin -u root -REDACTED create ropewiki
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
2023-07-23T20:03:19.605070 >> Creating ropewiki user...
2023-07-23T20:03:19.605260 RUN docker container exec gcpdev-ropewiki_db-1 mysql -uroot -REDACTED --host ropewiki_db -e "CREATE USER 'ropewiki'@'%' IDENTIFIED BY 'REDACTED';"
mysql: [Warning] Using a password on the command line interface can be insecure.
2023-07-23T20:03:19.735449 RUN docker container exec gcpdev-ropewiki_db-1 mysql -uroot -REDACTED --host ropewiki_db -e "GRANT ALL PRIVILEGES ON * . * TO 'ropewiki'@'%';"
mysql: [Warning] Using a password on the command line interface can be insecure.
2023-07-23T20:03:19.854581 RUN docker container exec gcpdev-ropewiki_db-1 mysql -uroot -REDACTED --host ropewiki_db -e "FLUSH PRIVILEGES;"
mysql: [Warning] Using a password on the command line interface can be insecure.
2023-07-23T20:03:19.973891 RopeWiki database initialized successfully.
bjpcaltech@gcp-ropewiki-dev:~/rw/app$ python3 deploy_tool.py gcpdev restore_empty_db
Restore /home/bjpcaltech/rw/app/database/empty_schema.sql? (y/n): y
2023-07-23T20:03:37.434949 Ensuring backup manager is available...
2023-07-23T20:03:37.435182 RUN git log -n 1
2023-07-23T20:03:37.440464 RUN git status
2023-07-23T20:03:37.446203 SCRIPT docker compose -p gcpdev up -d ropewiki_backup_manager
2023-07-23T20:03:37.446368 RUN sh /home/bjpcaltech/rw/app/docker_compose_command.sh && rm /home/bjpcaltech/rw/app/docker_compose_command.sh
[+] Building 0.0s (0/0)
[+] Running 2/0
? Container gcpdev-ropewiki_db-1 Running 0.0s
? Container gcpdev-ropewiki_backup_manager-1 Running 0.0s
2023-07-23T20:03:37.561142 Loading /home/bjpcaltech/rw/app/database/empty_schema.sql...
2023-07-23T20:03:37.561329 (NOTE: this operation usually takes a few minutes)
2023-07-23T20:03:37.561453 RUN cat /home/bjpcaltech/rw/app/database/empty_schema.sql | docker container exec -i gcpdev-ropewiki_backup_manager-1 mysql -uropewiki -pREDACTED --host ropewiki_db ropewiki
mysql: [Warning] Using a password on the command line interface can be insecure.
2023-07-23T20:03:40.453900 -> Backup restored.
bjpcaltech@gcp-ropewiki-dev:~/rw/app$ python3 deploy_tool.py gcpdev enable_tls
2023-07-23T20:03:54.838925 RUN git log -n 1
2023-07-23T20:03:54.844592 RUN git status
2023-07-23T20:03:54.851163 Script generated. To enable TLS, run:
2023-07-23T20:03:54.851228 sh /home/bjpcaltech/rw/app/enable_tls.sh
bjpcaltech@gcp-ropewiki-dev:~/rw/app$ sh /home/bjpcaltech/rw/app/enable_tls.sh
service "ropewiki_reverse_proxy" is not running container #1
bjpcaltech@gcp-ropewiki-dev:~/rw/app$
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Auto-renew of certificates should work now (certbot automatically sets it up in
/etc/cron.d/certbot). All it needed was cron running in the reverse_proxy container.This PR:
cronat startup.enable_tlsdeploy command more hands-free. It'll now automatically request certificates for both$WG_HOSTNAMEandwww.$WG_HOSTNAMEwithout needing human input.add_cert_cronjobwhich install a renewal cronjob on the VM, not inside the container (and didn't work because of Crontab for cert renewal does not work #27).