Comments (6)
Keeline
commented on September 17, 2024
1
We have had this issue from time to time. A partially-created or missing pem file will cause hitch to crash upon restart. Usually this is followed by a scramble to identify the offending line from the service hitch status and comment it out of the hitch.conf and restart hitch.
We have other servers where SSL is terminated with nginx. An nginx -t is fairly robust to check the configuration files and will report on missing or flawed files before we attempt to restart nginx.
The equivalent hitch -t only seems to check that the hitch.conf is syntactically correct. This is only part of the issue. It certainly knows there is a problem when it attempts to restart. Why not some kind of dry run option to prevent problems?
I wrote a small script to at least check and see that the file mentioned in the pem lines exists.
James D. Keeline
#!/bin/bash
HITCH=/etc/hitch/hitch.conf
ERR=0
hitch -t || ERR=1
for PEM in $(grep ^pem $HITCH | awk -F'"' '{print $2}')
do
if [ ! -f "$PEM" ]; then
echo "$PEM missing"
ERR=2
fi
done
if [ $ERR -gt 0 ]; then
echo "Errors found [$ERR]. Do not restart hitch."
exit 1
else
echo "Scan of $HITCH done. It should be OK to restart hitch."
fi
from hitch.
dgaastra
commented on September 17, 2024
1
Thanks for the script, but we really need the hitch developers to "Just ignore the faulty pem file but keep on running with the correct ones."
from hitch.
gquintard
commented on September 17, 2024
from hitch.
daghf
commented on September 17, 2024
Apologies for taking my time in getting back to you here.
I'm sorry to say I'm struggling to reproduce this - even when trying 1.6.1. Adding bogus files to a pem-dir or adding a pem-file entry pointing at a missing file just yields Config reload failed with the service still running on the previous config.
Any way you could come up with a reproducer?
from hitch.
dgaastra
commented on September 17, 2024
Hi Dag, thanks for looking into this. We have
pem-dir = "/htdocs/admin/lego/certificates"
pem-dir-glob = "*.pem"
Our PEMs are typically in the following format:
-----BEGIN CERTIFICATE-----
C1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
C2...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
C3...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
P1
-----END RSA PRIVATE KEY-----
-----BEGIN DH PARAMETERS-----
D1
-----END DH PARAMETERS-----
-----BEGIN DH PARAMETERS-----
D2
-----END DH PARAMETERS-----
Try to leave one or more of the sections C1-C3 or P1 or D1-2 out and see what happens. I don't exactly remember the bogus PEM in great detail, however, next time, will take a note of it when it happens again. Maybe try with leaving P1 out.
Thanks so kindly,
Dennis
from hitch.
iammeken
commented on September 17, 2024
Normally, I will run
hitch -t--config=/etc/hitch/hitch.conf
to check all certs before reload/restart
from hitch.
Related Issues (20)
- Feature Request - wildcard in file-names HOT 3
- wasm support? HOT 2
- Openssl 3 support planned? HOT 7
- Static fchown instead of permission check
- Github releases not up to date HOT 1
- Unable to start Hitch using service hitch start but can using manual methof HOT 2
- reload hitch cause memory big increase: read all certificates into memory and then never released it? HOT 7
- Any plan to support for h3? HOT 1
- browser oddity when using Let's Encrypt with 2 FQDNs HOT 1
- kTLS suuport HOT 1
- feature request - command args for "client-verify" and "client-verify-ca"
- feature request - sub config file
- After system reboot Hitch binds only to TCP v6
- Unrecognized command-line option '--backend-refresh' HOT 1
- tarballs don't include build instructions
- tarballs don't include init/service scripts HOT 1
- Feature request: 0-RTT (TLS Early Data) support
- Hitch v1.8.0 won't compile on macOS
- OCSP refresh - seems to break connections afterwards HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hitch.