https://bugzilla.redhat.com/show_bug.cgi?id=1366355 --- Comment #13 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> --- It's simpler to use: %{?systemd_requires} [https://fedoraproject.org/wiki/Packaging:Scriptlets#Systemd] The scriptlets should refer to both units (acme-tiny.service and acme-tiny.timer). At least because when the package is uninstalled, both must be disabled and stopped. Please add to the .service unit file: [Install] Also=acme-tiny.timer This will make 'systemctl enable acme-tiny' do the expected thing. WantedBy=network.target is wrong. It should be WantedBy=timers.target, which is the normal setting (see systemd.special(7)). If you want, you can add "After=httpd.service nginx.service" to acme-tiny.service. (If those services are not installed or not started, this line will have no effect.) When systemd is used, the dependency on cronie should be dropped. The mention of cron in %description should be removed too. Drop the dependency on python. It'll be generated automatically (and correctly, i.e. for python3). I think Suggests: httpd, mod_ssl, Enhances: httpd, mod_ssl, and maybe similarly for nginx should be added. %setup + %patch0 -p1 → %autosetup -p1 ;) Any chance I could convince you to rename the executable to acme-tiny? Having cert-check and acme_tiny is ugly. It's also less confusing when the main binary matches the package name. I think you should provide a Fedora-specific instructions. Upstream README contains a lot of non-relevant information about how to create a cron script, how to invoke the python script, etc. Also the paths are fixed (/var/lib/acme/*), and it would be easier if the instructions referred to them. I started the service without creating any configuration. It failed: Aug 22 04:43:59 fedora24 systemd[1]: Starting Check for acme certs about to expire... Aug 22 04:43:59 fedora24 acme-tiny[15288]: Generating RSA private key, 4096 bit long modulus Aug 22 04:43:59 fedora24 acme-tiny[15288]: ..................++ Aug 22 04:44:00 fedora24 acme-tiny[15288]: ...........................................................................++ Aug 22 04:44:00 fedora24 acme-tiny[15288]: e is 65537 (0x10001) Aug 22 04:44:00 fedora24 acme-tiny[15288]: acme_tiny --account-key private/account.key --csr csr/*.csr --acme-dir /var/www/challenges/ --out certs/*.crt Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing account key... Aug 22 04:44:00 fedora24 acme-tiny[15288]: Parsing CSR... Aug 22 04:44:00 fedora24 acme-tiny[15288]: Traceback (most recent call last): Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 213, in <module> Aug 22 04:44:00 fedora24 acme-tiny[15288]: main(sys.argv[1:]) Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 209, in main Aug 22 04:44:00 fedora24 acme-tiny[15288]: signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, chain=args.chain) Aug 22 04:44:00 fedora24 acme-tiny[15288]: File "/usr/sbin/acme_tiny", line 70, in get_crt Aug 22 04:44:00 fedora24 acme-tiny[15288]: raise IOError("Error loading {0}: {1}".format(csr, err)) Aug 22 04:44:00 fedora24 acme-tiny[15288]: OSError: Error loading csr/*.csr: b"csr/*.csr: No such file or directory\n139718301902712:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('csr/*.csr','r')\n139718301902712:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\n" Aug 22 04:44:00 fedora24 systemd[1]: Started Check for acme certs about to expire. It looks like the script does not report failure properly. It should also report the error in a more readable way. I don't think the stack trace is useful. In /var/lib/acme/certs/ I have a file called '*.tmp'. This does not look right ;) Next, I created a file called /var/lib/acme/csr/domain.csr. I restarted the service, but again it failed, this time because I haven't actually started a http server. The failure is expected, but the reporting could be improved: Aug 22 05:23:02 fedora24 systemd[1]: Starting Check for acme certs about to expire... Aug 22 05:23:02 fedora24 acme-tiny[15371]: acme_tiny --account-key private/account.key --csr csr/domain.csr --acme-dir /var/www/challenges/ --out certs/domain.crt Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing account key... Aug 22 05:23:02 fedora24 acme-tiny[15371]: Parsing CSR... Aug 22 05:23:02 fedora24 acme-tiny[15371]: Registering account... Aug 22 05:23:03 fedora24 acme-tiny[15371]: Registered! Aug 22 05:23:03 fedora24 acme-tiny[15371]: Verifying fedora24.in.waw.pl... Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last): Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 1240, in do_open Aug 22 05:23:03 fedora24 acme-tiny[15371]: h.request(req.get_method(), req.selector, req.data, headers) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 1083, in request Aug 22 05:23:03 fedora24 acme-tiny[15371]: self._send_request(method, url, body, headers) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 1128, in _send_request Aug 22 05:23:03 fedora24 acme-tiny[15371]: self.endheaders(body) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 1079, in endheaders Aug 22 05:23:03 fedora24 acme-tiny[15371]: self._send_output(message_body) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 911, in _send_output Aug 22 05:23:03 fedora24 acme-tiny[15371]: self.send(msg) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 854, in send Aug 22 05:23:03 fedora24 acme-tiny[15371]: self.connect() Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/http/client.py", line 826, in connect Aug 22 05:23:03 fedora24 acme-tiny[15371]: (self.host,self.port), self.timeout, self.source_address) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/socket.py", line 711, in create_connection Aug 22 05:23:03 fedora24 acme-tiny[15371]: raise err Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/socket.py", line 702, in create_connection Aug 22 05:23:03 fedora24 acme-tiny[15371]: sock.connect(sa) Aug 22 05:23:03 fedora24 acme-tiny[15371]: ConnectionRefusedError: [Errno 111] Connection refused Aug 22 05:23:03 fedora24 acme-tiny[15371]: During handling of the above exception, another exception occurred: Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last): Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/sbin/acme_tiny", line 117, in get_crt Aug 22 05:23:03 fedora24 acme-tiny[15371]: resp = urlopen(wellknown_url) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 162, in urlopen Aug 22 05:23:03 fedora24 acme-tiny[15371]: return opener.open(url, data, timeout) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 465, in open Aug 22 05:23:03 fedora24 acme-tiny[15371]: response = self._open(req, data) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 483, in _open Aug 22 05:23:03 fedora24 acme-tiny[15371]: '_open', req) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 443, in _call_chain Aug 22 05:23:03 fedora24 acme-tiny[15371]: result = func(*args) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 1268, in http_open Aug 22 05:23:03 fedora24 acme-tiny[15371]: return self.do_open(http.client.HTTPConnection, req) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/lib64/python3.5/urllib/request.py", line 1242, in do_open Aug 22 05:23:03 fedora24 acme-tiny[15371]: raise URLError(err) Aug 22 05:23:03 fedora24 acme-tiny[15371]: urllib.error.URLError: <urlopen error [Errno 111] Connection refused> Aug 22 05:23:03 fedora24 acme-tiny[15371]: During handling of the above exception, another exception occurred: Aug 22 05:23:03 fedora24 acme-tiny[15371]: Traceback (most recent call last): Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/sbin/acme_tiny", line 213, in <module> Aug 22 05:23:03 fedora24 acme-tiny[15371]: main(sys.argv[1:]) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/sbin/acme_tiny", line 209, in main Aug 22 05:23:03 fedora24 acme-tiny[15371]: signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, chain=args.chain) Aug 22 05:23:03 fedora24 acme-tiny[15371]: File "/usr/sbin/acme_tiny", line 123, in get_crt Aug 22 05:23:03 fedora24 acme-tiny[15371]: wellknown_path, wellknown_url)) Aug 22 05:23:03 fedora24 acme-tiny[15371]: ValueError: Wrote file to /var/www/challenges/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA, but couldn't download http://fedora24.in.waw.pl/.well-known/acme-challenge/yl3q4gBjRLn8SjdQ5d_EtnGR1ZJy1QYvrx4P6jr0NfA Again, those tracebacks are not useful to the end user. In particular, it does nos say *where* it tried to connect in the traceback. Your instructions don't discuss how to feed the certificate back to httpd. Shouldn't the snippets for httpd configuration override SSLCertificateKeyFile, SSLCertificateFile? Or is this supposed to be done somehow differently? How do you solve permission issues? Finally, your script could generate a csr for the FQDN. This would simplify things, because the user would not need to do this step by hand. It would be actually great to be able to install this package on a new server and have it work automatically without any manual steps. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/package-review@xxxxxxxxxxxxxxxxxxxxxxx