Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Remote filesystems /w Docker] Another Certbot instance is already running #116

Open
sertys3 opened this issue Aug 8, 2020 · 2 comments
Open

[Remote filesystems /w Docker] Another Certbot instance is already running #116

sertys3 opened this issue Aug 8, 2020 · 2 comments

Comments

@sertys3
Copy link

sertys3 commented Aug 8, 2020

Dear all,
thanks for the wonderful work on dnsrobocert. Implemented the project recently into my deployment orchestration. But ran into an issue that others might face.
Since i'm keeping certificates on a glusterfs filesystem mounter over NFS for HA between orchestrators, saw some issues when mounting the volume over /etc/letsencrypt .
Looks like without dwelving into too much detail keeping lock files on remote filesystems is not the best idea. Once i moved the volume to the NFS share certbot was unable to validate ownership of the lockfile( either in /etc/letsencrypt/.certbot.lock or /etc/letsencrypt/logs/.certbot.lock ) and spitted errors like :
Another Certbot instance is already running

The workaround for me was to mount the individual subfolders in /etc/letsencrypt(in docker-compose.yml) like so :
dnsrobocert:
image: adferrand/dnsrobocert
container_name: dnsrobocert
environment:
CONFIG_PATH: /etc/letsencrypt/dnsrobocert.yml
volumes:
- ./configs/letsencrypt/archive:/etc/letsencrypt/archive
- ./configs/letsencrypt/live:/etc/letsencrypt/live
- ./configs/letsencrypt/keys:/etc/letsencrypt/keys
- ./configs/letsencrypt/accounts:/etc/letsencrypt/accounts
- ./configs/letsencrypt/dnsrobocert.yml:/etc/letsencrypt/dnsrobocert.yml
restart: always

This way the lock files are held on the container storage and certbot no longer complains.

Hope this helps the community.
Regards,
Daniel
@adferrand
Copy link
Owner

Hello Daniel !

Thanks for the report. Indeed, certbot uses lock files to ensure that only instance of certbot is running. For the record, I am part of the dev team of certbot, and I had in mind for a long time some improvements to do for lock files, and more generally for situations where certbot is acting more like a library.

But at this time, there is no way to customize that, so your workaround is the best so far.

If you want, you can open an issue on the certbot repository to report about bad behavior of lock files on remote filesystem, it would give more concrete arguments to start some refactorings here.

@qqilihq
Copy link

qqilihq commented Mar 24, 2022

Interesting topic -- I just noticed (by accident), that DNSroboCert creates mentioned log file while running certificate renewal.

Our setup is similar to @sertys3 -- we share the data and certificates via NFS so that it's available on our clustered reverse proxy instances.

So far, I just made sure, that only one single DNSroboCert instance was running cluster-wide. However, with that lock file, this would probably not even be needed, as DNSroboCert would synchronize itself, which in turn would simplify our setup and make it more robust.

@sertys3 mentions “lock files on remote filesystems is not the best idea”. Does this still apply? Any experience with running DNSroboCert in a clustered mode or is this something to avoid?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qqilihq @adferrand @sertys3