Cockpit: SSL/TLS certificate update is not complete (no problem with Nethgui)

It is normal that the Cockpit does not work completely?

1 Like

@davidep, @giacomo: In a previous message, I have sent logs with the problem in Cockpit and the log for Nethgui which works.

Can you now move "again) this ticket in bugs section because there is a bug.

I think Marc gave you a good answer. I’d like to set it as solution.

I have a Firefox 70. I’ll possibly check how it works with it.

No, the problem is when we edit “update” the SSL/TLS certificate:

Do you mean reloading/restarting additional services?

Yes, the process is not finished (not complete), you can see log (difference between Nethgui and Cockpit).
-> S20nethserver-cockpit-conf must launch after S99nethserver-httpd-admin-asyncreload.

OK, if your’e referring to the reload/restart of services I think most probably it is a bug. The log helped. Thanks.
Please, next time try to be more specific about the problem from the beginning, otherwise unclear sentences or incomplete description (cut-off, not complete) can be interpreted in different ways and others have to guess their meaning, and in the meantime time is lost.

1 Like

For me, it was clear: The connection between computer manager and the server has been cut off because the service has been reloaded before the end of process.

It seems for others it was not so clear. At least it wasn’t for me.

Yes it is a reproducible bug, as reported by @Neustradamus.

To fix it I propose to remove the cockpit service restarts from this action:

[root@vm5 ~]# find  /etc/e-smith/events/ | grep cockpit-conf
/etc/e-smith/events/actions/nethserver-cockpit-conf
/etc/e-smith/events/certificate-update/S20nethserver-cockpit-conf
/etc/e-smith/events/nethserver-cockpit-update/S20nethserver-cockpit-conf

The cockpit service uses systemd socket activation. Its server process terminates when the last user session ends, and is spawned from scratch when a new connection is established on port 9090.

I think there’s no hurry to restart the server process during a certificate generation.

Possibly we don’t even need to restart it during the update event.

What do you think @giacomo @edoardo_spadoni?

I could agree, but I for sure expect many support request like “I’ve configured Let’s Encrypt but I still see the old certificate on cockpit”.
We had plenty of such requests on the NethGUI when the reload async fails.

Probably I prefer the current behavior but less support requests.
Maybe @nrauso or @filippo_carletti have different opinions.

Meanwhile I filed the bug report:

My solution proposal is

  1. remove the restart of cockpit-ws, to avoid the session cut off
  2. display a warning, trying to explain that to prevent disconnection the new certificate is applied to cockpit itself 90 seconds after all sessions are closed.
2 Likes

I confirm that this is a bug. When I change the certificate with NethGUI the problem dircribed here Nethserver-Reports (Nethesis-Dante) page fails with original NS-Cerificates is gone. When I change the cert with cockpit, the problem exists.

Thanks for the progress on it.

This is the proposal for the UI message, stating - hey don’t expect the certificate is applied immediately here

image

The same Notice is displayed on every modal dialog that changes the current certificate.

Can you see how to improve it?

1 Like

Is good for you have a button for forcing disconnection?

It is for all certificate generations? Not only Let’s Encrypt?

  • Self-signed certificate

Yes, it fixes cert updates and that includes self signed ones.

1 Like

This is a good idea, but I don’t know if it worth the effort.


For all, The fix is now in testing: could you check it out?

Verified!

2 Likes