support letsencrypts certbot to renew certificates

[bw1faeh0]

Hi,

I would like to renew my certificates (basically running certbot renew) by using topgrade.
Do you see a possibility to implement this, or do I have the option to call external programs by topgrade?

[SteveLauC]

Do you see a possibility to implement this

It sounds like an update procedure so I guess yes, we can add it, would you like to show me the output of that renew command?

or do I have the option to call external programs by topgrade?

Topgrade indeed supports this, see the "commands" section in the config.example.toml for examples

[bw1faeh0]

It sounds like an update procedure so I guess yes, we can add it, would you like to show me the output of that renew command?

Lets have a look:

$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-19w8tj1h/log or re-run Certbot with -v for more details.

So, we have to run all commands as root, of course.

sudo certbot certificates
[sudo] password for $user: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: subdomain.domain1.tld
    Serial Number: 4fd069779526c777a2eb1c4942b2f667d9c
    Key Type: ECDSA
    Domains: subdomain.domain1.tld
    Expiry Date: 2024-04-14 05:42:15+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/subdomain.domain1.tld/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain.domain1.tld/privkey.pem
  Certificate Name: subdomain.domain2.tld
    Serial Number: 416d2a324c0b160c5c74b9558015e30448a
    Key Type: ECDSA
    Domains: subdomain1.domain2.tld subdomain2.domain1.tld subdomain3.domain1.tld
    Expiry Date: 2024-02-25 19:58:05+00:00 (VALID: 35 days)
    Certificate Path: /etc/letsencrypt/live/subdomain.domain2.tld/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain.domain2.tld/privkey.pem
  Certificate Name: immich.bw1faeh0.dev
    Serial Number: 4d739b2d73a4fab1b1ca6f965880f061521
    Key Type: ECDSA
    Domains: subdomain3.domain1.tld
    Expiry Date: 2024-03-17 10:45:26+00:00 (VALID: 55 days)
    Certificate Path: /etc/letsencrypt/live/subdomain3.domain1.tld/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain3.domain1.tld/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This will give you a list of all managed domains and their certificates.

To renew all certificates (if possible), just run certbot renew:

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/meet.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webmail.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webmail.flaemig42.de
Using the webroot path /home/www/mail.flaemig42.de for all unmatched domains.
Waiting for verification...
Challenge failed for domain webmail.flaemig42.de
http-01 challenge for webmail.flaemig42.de
Cleaning up challenges
Attempting to renew cert (webmail.flaemig42.de) from /etc/letsencrypt/renewal/webmail.flaemig42.de.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wetter.flaemig42.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/webmail.flaemig42.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/meet.flaemig42.de/fullchain.pem expires on 2024-03-25 (skipped)
  /etc/letsencrypt/live/wetter.flaemig42.de/fullchain.pem expires on 2024-04-20 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/webmail.flaemig42.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: webmail.flaemig42.de
   Type:   connection
   Detail: 37.120.178.27: Fetching
   https://bircloud.flaemig42.de/.well-known/acme-challenge/ci29emwfbUI4piVz0hUUPeCieeAkfLg56jQdkpH-9Z4:
   Timeout during connect (likely firewall problem) 

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Unfortunately my certificates are not due to renewal, so I can not get the output if they are going to be renewed. The one that is failing is by intention.

[SteveLauC]

Ok, looks good to me, we can add it, let me convert this to an issue and implement it when I have time, though I need a code review from you.