diff options
| author | Adrien Ferrand <adferrand@users.noreply.github.com> | 2019-11-13 21:04:45 +0300 |
|---|---|---|
| committer | Brad Warren <bmw@users.noreply.github.com> | 2019-11-13 21:04:45 +0300 |
| commit | 595b1b212ef83c45173f141c137a45cf0a469a52 (patch) | |
| tree | 2e36620a3748e7e3a913bc0f797b3f9bf899a2f1 /windows-installer | |
| parent | 75acdeb6454429d6a1704a10f3bfe649a074b227 (diff) | |
[Windows] Avoid letsencrypt.log permissions error during scheduled certbot renew task (#7537)
While coding for #7536, I ran into another issue. It appears that Certbot logs generated during the scheduled task execution have wrong permissions that make them almost unusable: they do not have an owner, and their ACL contains nonsense values (non existant accounts name).
The class `logging.handler.RotatingFileHandler` is responsible for these logs, and become mad when it is in a Python process run under a scheduled task owned by `SYSTEM`. This is precisely our case here.
This PR avoids (but not fix) the issue, by changing the owner of the scheduled task from `SYSTEM` to the `Administrators` group, that appears to work fine.
* Use Administrators group instead of SYSTEM to run the certbot renew task
Diffstat (limited to 'windows-installer')
| -rw-r--r-- | windows-installer/renew-up.ps1 | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/windows-installer/renew-up.ps1 b/windows-installer/renew-up.ps1 index c6a5fd9ea..224458748 100644 --- a/windows-installer/renew-up.ps1 +++ b/windows-installer/renew-up.ps1 @@ -8,8 +8,10 @@ $action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfil $delay = New-TimeSpan -Hours 12 $triggerAM = New-ScheduledTaskTrigger -Daily -At 12am -RandomDelay $delay $triggerPM = New-ScheduledTaskTrigger -Daily -At 12pm -RandomDelay $delay -# NB: For now scheduled task is set up under SYSTEM account because Certbot Installer installs Certbot for all users. +# NB: For now scheduled task is set up under Administrators group account because Certbot Installer installs Certbot for all users. # If in the future we allow the Installer to install Certbot for one specific user, the scheduled task will need to # switch to this user, since Certbot will be available only for him. -$principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount -RunLevel Highest +$adminsSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") +$adminsGroupID = $adminsSID.Translate([System.Security.Principal.NTAccount]).Value +$principal = New-ScheduledTaskPrincipal -GroupId $adminsGroupID -RunLevel Highest Register-ScheduledTask -Action $action -Trigger $triggerAM,$triggerPM -TaskName $taskName -Description "Execute twice a day the 'certbot renew' command, to renew managed certificates if needed." -Principal $principal |