Support for certbot snap installation mode
RolandVExp opened this issue · comments
Hello, first, thanks a lot for your plugin.
I've been using it for a long time along with a cetbot-auto installation.
This kind of installation is unfortunately not anymore available for my OS (Debian).
So I have to switch to the officially supported "snap" installation mode described here
The problem is I don't know how to install your plugin with this mode.
pip install certbot-plugin-gandi
does work but is no detected by the snap installation
Can you please help me ?
Thanks !
Maybe, the plugin has to be updated with those instructions : Writing your own plugin snap
Hi @RolandVExp,
I also needed this feature so I build my own snap using the instructions given in https://github.com/certbot/certbot/tree/master/tools/snap.
I had to tweak it a bit to adapt it to this plugin and also I had to made some changes to the setup.py
that's why am pulling from my fork. I'll share what I change from the original post :
Building Certbot Snap : Gandi plugin
Local Testing and Development
These instructions are recommended when testing anything about the snap setup for ease of debugging. The architecture of the built snap is limited to the architecture of the system it is built on.
Initial VM Set Up
These steps need to be done once to set up your VM and do not need to be run again to rebuild the snap.
- Start with a Focal VM. You need a full virtual machine using something like DigitalOcean, EC2, or VirtualBox. Docker won't work. Another version of Ubuntu can probably be used, but Focal was used when writing these instructions.
- Set up a user other than root with sudo privileges for use with snapcraft and run all of the following commands with it. A command to do this for a user named certbot looks like
adduser certbot && usermod -aG sudo certbot && su - certbot
. - Install git and python with
sudo apt update && sudo apt install -y git python
. - Set up lxd for use with snapcraft by running
sudo snap install lxd && sudo /snap/bin/lxd.migrate -yes; sudo /snap/bin/lxd waitready && sudo /snap/bin/lxd init --auto
(errors here are ok; it may already have been installed on your system). - Add your current user to the lxd group and update your shell to have the new assignment by running
sudo usermod -a -G lxd ${USER} && newgrp lxd
. - Install snapcraft with
sudo snap install --classic snapcraft
. cd ~
(or any other directory where you want our source files to be)- Run
git clone git://github.com/certbot/certbot
cd certbot
(All further instructions are relative to this directory.)
Certbot Snap
Reset the Environmentstrike
If the snap has been built before, the instructions below clean up the build environment so it can reliably be used again.
snapcraft clean --use-lxd
[Optional]mv certbot_*_amd64.snap certbot_amd64.snap.bak
Build the Certbot Snap
These are the steps to build and install the Certbot snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running snapcraft
again will overwrite the previous snap).
Runsnapcraft --use-lxd
.Install the generated snap withsudo snap install --dangerous --classic certbot_*_amd64.snap
. You can transfer the snap to a different machine to run it there instead if you prefer.
Run
Run Certbot as normal. For example, certbot plugins
should display the Apache and Nginx plugins.
Certbot Plugin Snaps
These instructions use the certbot-dns-gandi
plugin as an example, but all of Certbot's other plugin snaps can be built in the same way.
Reset the Environment
If the plugin snap has been built before, the instructions below clean up the build environment so it can reliably be used again.
git clone git://github.com/kalemontes/certbot-plugin-gandi
- [Optional]
mv certbot-plugin-gandi/ certbot-dns-gandi
cd certbot-dns-gandi
snapcraft clean --use-lxd
- [Optional]
mv certbot-dns-gandi_*_amd64.snap certbot-dns-gandi_amd64.snap.bak
cd ..
Build a Certbot Plugin Snap
These are the steps to build and install the Certbot Gandi plugin snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running snapcraft
again will overwrite the previous snap).
- Run
tools/snap/generate_dnsplugins_all.sh
to generate all necessary files for all plugin snaps. cd certbot-dns-gandi
snapcraft --use-lxd
- Run
sudo snap set certbot trust-plugin-with-root=ok
. - Install the generated snap with
sudo snap install --dangerous certbot-dns-gandi_*_amd64.snap
(for me it wassudo snap install --dangerous certbot-dns-gandi_1.2.5_amd64.snap
). Again, you can transfer the snap to a different machine to run it there instead if you prefer. - Connect the plugin with
sudo snap connect certbot:plugin certbot-dns-gandi
. - Connect the plugin metadata with
sudo snap connect certbot-dns-gandi:certbot-metadata certbot:certbot-metadata
. Install the plugin again to test refresh; if the plugin's hook creates any logs, they are at/var/snap/certbot-dns-gandi/current/debuglog
.
Run
Run Certbot as normal. For example, certbot plugins
should display the Gandy plugin as installed.
So
certbot plugins | grep dns-gandi
displayscertbot@vagrant:~/certbot/certbot-dns-gandi$ certbot plugins | grep dns-gandi * dns-gandi Entry point: dns-gandi = certbot_plugin_gandi.main:AuthenticatorI had to add the option
-a dns-gandi
in order to “specify a combination of distinct authenticator and installer plugins” (using--dns-gandi
didn’t work for me), socertbot certonly --noninteractive --agree-tos -a dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --email mail@mailexample.com -d *.mydomain.com
displayscertbot@vagrant:~/certbot/certbot-dns-gandi$ certbot certonly --noninteractive --agree-tos -a dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --email mail@mailexample.com -d *.mydomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-gandi, Installer None Requesting a certificate for *.mydomain.com Performing the following challenges: dns-01 challenge for mydomain.com Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem Your cert will expire on 2021-03-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leInfo : change
--email mail@mailexample.com -d *.mydomain.com
with your own.
It would be great if the snap was provided out of the box, but I don't know how to publish, and I would leave this task to @obynio.
Hello guys, sorry for not responding 🙏 I'm not a big fan of the snap package system but I'll try to dedicate a bit of time to build this snap.
Thanks for providing detailed instructions @kalemontes that will be very helpful 👍
Thanks a lot @kalemontes for these instructions !
@obynio you might want include a warning in the README that using your instructions will install certbot via pip (e.g. in /usr/local/bin/certbot) and this will conflict with the snap version of certbot (which is now the preferred version and requires that you delete all other versions). This can lead to confusing setups with different plugins for each version (e.g. I ended up with a local version of certbot with the certbot-dns-gandi plugin but no Apache installer, alongside the snap version of certbot having all the standard plugins but not the certbot-dns-gandi plugin).
Ah, this makes sense! I'm still getting unrecognized arguments: --dns-gandi-credentials
. Would love snap support, but my certificate expires in several hours, so I'll try to get it together with pip for now.
Remember: always save chores til the last minute so when APIs change and scripts stop working you can feel alive again.
@obynio Is it me or this plugin cannot be installed with snapd ?
Is it possible to re-open this issue ?
Regards
It cannot for now. I haven't been working on it yet.