Nextcloud-snap: Let鈥檚 Encrypt CAA Rechecking Bug

Created on 3 Mar 2020  路  9Comments  路  Source: nextcloud/nextcloud-snap

Let鈥檚 Encrypt have announced a bug in their certificate issuing.

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

And that to resolve it existing certificates will be revoked, and must be force renewed by March 4.

https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Will it be possible for the snap do perform this automatically?

Most helpful comment

For anyone effected, here's what you do:

Step 1: Force-renew your cert

Run this command. It should work regardless of your architecture, although I've only tested it on amd64:

$ sudo snap run --shell nextcloud.occ -c 'export PATH="$SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH"; . "$SNAP/utilities/https-utilities"; run_certbot renew --force-renewal'

It may look a little suspicious at the end, saying something similar to:

Running post-hook command: restart-apache
Output from post-hook command restart-apache:
Restarting apache... error
Certificates have been activated: using HTTPS only
Certificates look to be in order: enabling HSTS
httpd: error while loading shared libraries: libaprutil-1.so.0: cannot open shared object file: No such file or directory

Don't worry about that, it's because I gave you architecture-agnostic directions. We've now updated your cert, we just need to take care of...

2. Restart apache

$ sudo snap restart nextcloud.apache

Now you should be up and running with a new cert, one that isn't effected by this bug.

All 9 comments

Oh that's awful. Thank you for the heads up, we'll look into it.

This only effects 2.6% of all valid Let's Encrypt certs. My Nextcloud snap instance is not effected. Are you sure yours is? I think that makes the risk of messing up an emergency update to force renew everyone's certs higher than the risk of anyone actually hitting this.

According to https://checkhost.unboundtest.com/ I am not effected. You might be right about the emergency update risk.

For someone who is effected, what would be the manual process force renew.

I'm effected, and will need to renew. I had expected there to be a nextcloud.renew-certs command but there isn't. Is there a way of triggering a renewal manually, or do I have to delete the old certs and start over?

EDIT: Btw. I totally agree with you that setting up automated renewal is more error-prone than 2.6%. Especially if one does it as a rush-job for this particular bug. But perhaps we could look into it in the future, if there's good tooling available for it.

For anyone effected, here's what you do:

Step 1: Force-renew your cert

Run this command. It should work regardless of your architecture, although I've only tested it on amd64:

$ sudo snap run --shell nextcloud.occ -c 'export PATH="$SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH"; . "$SNAP/utilities/https-utilities"; run_certbot renew --force-renewal'

It may look a little suspicious at the end, saying something similar to:

Running post-hook command: restart-apache
Output from post-hook command restart-apache:
Restarting apache... error
Certificates have been activated: using HTTPS only
Certificates look to be in order: enabling HSTS
httpd: error while loading shared libraries: libaprutil-1.so.0: cannot open shared object file: No such file or directory

Don't worry about that, it's because I gave you architecture-agnostic directions. We've now updated your cert, we just need to take care of...

2. Restart apache

$ sudo snap restart nextcloud.apache

Now you should be up and running with a new cert, one that isn't effected by this bug.

@kyrofa
Thanks
I needed to add the webroot-path:
sudo snap run --shell nextcloud.occ -c 'export PATH="$SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH"; . "$SNAP/utilities/https-utilities"; run_certbot renew --force-renewal --webroot-path /var/snap/nextcloud/current/certs/certbot'

This was the output:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing
/var/snap/nextcloud/current/certs/certbot/config/renewal/nas.XXX.myfritz.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.XXX
http-01 challenge for cloud.XXX
http-01 challenge for cloud.XXX
http-01 challenge for nas.XXX
http-01 challenge for nas.XXX
http-01 challenge for nas.XXX
http-01 challenge for nas.XXX.myfritz.net
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/var/snap/nextcloud/current/certs/certbot/config/live/nas.XXX.myfritz.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /var/snap/nextcloud/current/certs/certbot/config/live/nas.XXX.myfritz.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

BTW:
In the past my nextcloud did not autorenewal the certs.
It would be great if the command nextcloud.renew-certs would work again and would execute something like certbot renew --force-renewal

I needed to add the webroot-path

Huh, that shouldn't have been required. Obtaining the cert initially uses that so it should have been in the config. Any chance you've been editing the config manually? Regardless, I'm glad you got it working, thank you for sharing!

The instructions worked for me. Did not need --webroot-path. Thanks!

We're about a month past that deadline and I haven't heard any more complaints, so I'm going to go ahead and close this. Obviously feel free to continue any discussion here.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

tinokizis picture tinokizis  路  8Comments

johnpoint picture johnpoint  路  4Comments

gabrielmongefranco picture gabrielmongefranco  路  4Comments

WereCatf picture WereCatf  路  3Comments

dutchievj picture dutchievj  路  4Comments