Issue
LetsEncrypt Log Rotation
Due to a bug on the Pixel 3 of my son I had to do a bit of work to my email service to configure the SSL cert provided by LetsEncrypt. Thank you for help Using Let's Encrypt Certificates for Mail
As I was doing the above work I noticed that there was an awful lot of logs for LetsEncrypt on my server. I decided to do a bit of digging to find the source of the rotation. I think I found where the setting for the rotation in the code is: /usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php
Also here is the version that I am running:
In the code the parameter for /usr/bin/certbot: --max-log-backups is set to 200. I currently have many more files than that setting. I am not running the latest version and I
I am not in a good position to test an updated container. Anyone else is having the same issue?
As I was doing the above work I noticed that there was an awful lot of logs for LetsEncrypt on my server. I decided to do a bit of digging to find the source of the rotation. I think I found where the setting for the rotation in the code is: /usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php
///////////////////////////////////////////////////////////////////////////////
// C O N S T A N T S
///////////////////////////////////////////////////////////////////////////////
const PATH_CERTIFICATES = '/etc/letsencrypt/live';
const COMMAND_CERTBOT = '/usr/bin/certbot';
const FILE_CERT = 'cert.pem';
const FILE_LOG_PREFIX = 'lets-encrypt-';
const FILE_APP_CONFIG = '/etc/clearos/lets_encrypt.conf';
///////////////////////////////////////////////////////////////////////////////
// V A R I A B L E S
///////////////////////////////////////////////////////////////////////////////
protected $is_loaded = FALSE;
protected $config = array();
protected $max_logs = 200;
protected $daemon_list = ['httpd', 'nginx'];
...
/**
* Renews certificates.
*
* The basically runs "certbot renew" but does some firewall,
* Apache, and NGINX checks.
*
* @param boolean $auto flag is renew is called automatically via cron
*
* @return void
* @throws Engine_Exception
*/
public function renew($auto = FALSE)
{
clearos_profile(__METHOD__, __LINE__);
if ($auto && !$this->get_auto_renew_state())
return;
if (!$this->renew_required()) {
clearos_log('lets_encrypt', lang('lets_encrypt_renew_not_required'));
return;
}
// Manage daemons and firewall on port 80
//---------------------------------------
$daemon_states = $this->_disengage_daemons();
$incoming_state = $this->_disengage_incoming_firewall();
$forwarding_rules = $this->_disengage_port_forwarding();
// Run certbot renew
//------------------
$options['validate_exit_code'] = FALSE;
$shell = new Shell();
$retval = $shell->execute(
self::COMMAND_CERTBOT,
'renew --standalone ' .
'--max-log-backups ' . $this->max_logs . ' ' .
'--preferred-challenges http-01 ' .
'--renew-hook "/sbin/trigger lets_encrypt"',
TRUE,
$options
);
$message =($retval == 0) ? lang('lets_encrypt_renew_succeeded') : lang('lets_encrypt_renew_failed');
$logs = $shell->get_output();
clearos_log('lets_encrypt', $message);
foreach ($logs as $log)
clearos_log('lets_encrypt', $log);
// Manage daemons and firewall on port 80
//---------------------------------------
$this->_engage_incoming_firewall($incoming_state);
$this->_engage_port_forwarding($forwarding_rules);
$this->_engage_daemons($daemon_states);
}
Also here is the version that I am running:
Installed Packages
certbot.noarch 0.21.1-1.el7 @clearos-epel
python2-certbot.noarch 0.21.1-1.el7 @clearos-epel
python2-certbot-apache.noarch 0.21.1-1.el7 @clearos-epel
Available Packages
certbot.noarch 0.27.1-1.el7 clearos-epel
python2-certbot.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-apache.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-cloudflare.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-cloudxns.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-digitalocean.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-dnsimple.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-dnsmadeeasy.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-gehirn.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-google.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-linode.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-luadns.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-nsone.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-ovh.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-rfc2136.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-route53.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-dns-sakuracloud.noarch 0.27.1-1.el7 clearos-epel
python2-certbot-nginx.noarch 0.27.1-1.el7 clearos-epel
In the code the parameter for /usr/bin/certbot: --max-log-backups is set to 200. I currently have many more files than that setting. I am not running the latest version and I
I am not in a good position to test an updated container. Anyone else is having the same issue?
Share this post:
Responses (7)
-
Accepted Answer
Thanks for the heads up. There are a number of log files in my /var/log/letsencrypt folder. You could add a line entry at the top of /etc/logrotate.d/syslog looking something like this:
and it'll rotate them out of your system based on what's in /etc/logrotate.conf./var/log/letsencrypt/letsencrypt.log
Test it out at your shell prompt withlogrotate -f /etc/logrotate.d/syslog
-
Accepted Answer
Thanks Dirk, it seems that the default is 1000: Log Rotation. I hope the defaults still works? Indeed, an entry in logrotate is probably the best alternative for now. -
Accepted Answer
Hello Philippe,
This is a known bug. Ages ago I pointed out that the number of logs kept was 1000 and it was fixed by adding max_logs to the code. Unfortunately they forgot to add the max_logs to the create and delete certificates bits as well. It may be needed elsewhere.
When investigating this I then bumped into an upstream issue where, if max_logs is set to, say, 200, when it pushes 200 to 201 and deletes it, it does not delete any logs > 201 to the logs never reduce back to 200. You will probably notice a date skip between 200 and 201. Just delete anything greater than 200. The bug was accepted upstream but there were no volunteers to fix it.
I would suggest not using logrotate as it will cut across what letsencrypt/certbot does and may look very odd if you use the timestamp suffixes of logrotate (I don't) - it would depend if logrotate ran before or after letsencrypt. It may be more appropriate to use tmpwatch in a cron.daily or cron.weekly, or even more basically, in cron.daily do something like:
If you run it daily, it is unlikely you'll have more than 9 extra logs. If you think you will, try:rm -f /var/log/letsencrypt/letsencrypt.log.20?
Don't use a * or you risk losing .2 and .20.rm -f /var/log/letsencrypt/letsencrypt.log.2??
-
Accepted Answer
Mr. Nick,
Nice the heard from you. Now that you mention it I think I remember vaguely this issue being investigated, not fun getting old . I was thinking of using the rotate facility to delete the logs without the rotation. Any thoughts?
/var/log/letsencrypt/letsencrypt.log {
daily
rotate 0
firstaction
/usr/bin/find /var/log/letsencrypt/ -name "letsencrypt.log.*" -mtime +200 -delete
endscript
nocreate
missingok
notifempty
} -
Accepted Answer
-
Accepted Answer
I have a bits_and_pieces file in both cron.daily and cron.weekly (executable) so I'd initially prune the logs manually then just go for my one liner:
I am not good with the find command and any exec arguments.rm -f /var/log/letsencrypt/letsencrypt.log.2??
If you wanted a tmpwatch example, I clear out my trash folders in my shares (I don't use flexshares) with a cron.daily.bits_and_pieces line:
It should be easy to adapt that.# Empty Trash
tmpwatch 30d --all -m -q /shares/*/.trash/
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »