From 009e07b2328985f9b4f810e98de01d509bf24440 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Sat, 14 Mar 2026 04:12:42 -0700 Subject: [PATCH] letsencrypt: Don't perform operations on apps that are not installed Fixes: #2568. When Let's Encrypts events are fired for all applications, they happen on apps that install as well. They have not been a problem so far because seem to succeed always. However, ejabberd recently changed to having '*' for list of domains accepted and also has non-root account for certificate ownership. This combination causes a certificate operation to fail as the package 'ejabberd' is not installed and 'ejabberd' user is not available. Fix this by making limiting certificate operations to apps that have been installed. Tests: - Add a new domain name to a production FreedomBox using the Dynamic DNS 'tester' account. 'ejabberd' app should not be installed. LE events fire and a log message showing failure is noticed. All the events after the failure for other apps also succeed. The failure is a minor and contained to ejabberd. - Apply the patch and revoke the certificate. LE event is fired on all other installed apps but not on ejabberd. No error is logged. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/letsencrypt/components.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plinth/modules/letsencrypt/components.py b/plinth/modules/letsencrypt/components.py index 3cac7b193..3903f233d 100644 --- a/plinth/modules/letsencrypt/components.py +++ b/plinth/modules/letsencrypt/components.py @@ -392,8 +392,12 @@ def on_certificate_event_sync(event, domains, lineage): assert event in ('obtained', 'renewed', 'revoked', 'deleted') for component in LetsEncrypt.list(): + if component.app and component.app.needs_setup(): + continue + logger.info('Handling certificate event for %s: %s, %s, %s', component.component_id, event, domains, lineage) + try: getattr(component, 'on_certificate_' + event)(domains, lineage) except Exception as exception: