Project

General

Profile

Bug #28035

Add APIs to restart-httpd and restart-httpd-all

Added by Dan Brown about 1 year ago. Updated 10 months ago.

Status:
Done
Priority:
No priority
Assignee:
Vladimir Vinogradenko
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I'm working on a script to automate deployment of TLS certificates to FreeNAS, so that they can be automatically issued and renewed from Let's Encrypt--see https://forums.freenas.org/index.php?threads/automate-update-of-ssl-certificate.58025/ for the discussion (but please don't laugh at my very noob-ish Python code). I'm able to upload the cert, get its id, and set that ID as the GUI certificate using the API. However, the new certificate isn't used without the web server restarting for some other reason.

When I change the GUI certificate using the GUI, the web server reloads so that the newly-specified cert is used immediately. But when I make this change through the API, the reload doesn't appear to happen, and I don't see an API call to force the reload.

It seems like something is missing from the API, unless I'm just overlooking it. Or is it just expected that I'd just do "service nginx reload"?

Associated revisions

Revision 09e1b084 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(api): Add `POST /api/v1.0/system/settings/restart-httpd/` and `POST /api/v1.0/system/settings/restart-httpd-all/`

Ticket: #28035

Revision 06547b65 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(api): Add `POST /api/v1.0/system/settings/restart-httpd/` and `POST /api/v1.0/system/settings/restart-httpd-all/`

Ticket: #28035

History

#1 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Unscreened to Closed
  • Reason for Closing set to Behaves as Intended

Web UI calls GET /legacy/system/restart-httpd/ (or GET /legacy/system/restart-httpd-all/ if stg_guiprotocol was changed) after processing your request, so you'll have to do this manually too. If API would do nginx restart while processing your request, you won't be able to receive a response. This may be improved somehow in the future, but for now please do GET /legacy/system/restart-httpd/ after configuration update.

#2 Updated by Dru Lavigne about 1 year ago

  • Target version set to N/A

#3 Updated by Dan Brown about 1 year ago

Is there perhaps a different API call that needs to be made? restart-httpd (and even restart-httpd-all) do not result in the new certificate being used.

#4 Updated by Vladimir Vinogradenko about 1 year ago

Dan, what was HTTP response for these requests?

#5 Updated by Dan Brown about 1 year ago

It responded 200.

#6 Updated by Chris H about 1 year ago

I observed the same as Dan in a python script. Minimally, if I run:

curl -H "Content-Type: application/json" -vu USER:PASS -Li https://SERVER/legacy/reload-httpd/

I get a 302 to "/", then a 302 to "/account/login/?next=/", then a 200. I assume I am doing it wrong; could you please advise how?

#7 Updated by Vladimir Vinogradenko about 1 year ago

Chris, sorry, please try without /legacy/:

curl -H "Content-Type: application/json" -vu USER:PASS -Li https://SERVER/reload-httpd/

#8 Updated by Chris H about 1 year ago

Hm, that gives me the same chain of 302->302->200, and the new certificate (which is active in the GUI) is not presented.

#9 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Closed to In Progress
  • Target version changed from N/A to 11.1-U2
  • Reason for Closing deleted (Behaves as Intended)

Looks like HTTP Basic Authentication won't work for /system/restart-httpd/. I am reopening this ticket and will add this method into API.

#10 Updated by Dru Lavigne about 1 year ago

  • Assignee changed from Release Council to Vladimir Vinogradenko

#11 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from In Progress to Done

Done. New methods are

POST /api/v1.0/system/settings/restart-httpd/

and

POST /api/v1.0/system/settings/restart-httpd-all/

#12 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Updating stg_guicertificate via API does not reload nginx to use new certificate to Add APIs to restart-httpd and restart-httpd-all

#13 Updated by Dru Lavigne about 1 year ago

  • Needs Doc changed from Yes to No

#14 Updated by Dru Lavigne about 1 year ago

  • Needs Merging changed from Yes to No

#15 Updated by Jason Keller 10 months ago

  • Severity set to New

I'm attempting this from Ubuntu 16.04 using Python 3.5, and these endpoints don't seem to work...only giving me a 405 even though it clearly states that it wants a POST.

Python snippet is below...

_r = requests.post(
        'https://' + _host['fqdn'] + '/api/v1.0/system/settings/restart-httpd',
        auth=(_host['user'], _host['password']),
        headers={'Content-Type': 'application/json'},
        data=json.dumps({}),
        verify=False,
)

I've tried it with and without the json.dumps({}) section, without headers, etc, no difference. Currently running 11.1-U5 from stable branch.

#16 Updated by Vladimir Vinogradenko 10 months ago

Jason, you've forgot to add trailing slash. It should be:

_r = requests.post(
        'https://' + _host['fqdn'] + '/api/v1.0/system/settings/restart-httpd/',

Please note that you'll still got an exception:

requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

That's because HTTP server will restart immediately leaving itself no chance to send response.

#17 Updated by Jason Keller 10 months ago

My apologies Vladimir - indeed the trailing slash caused it to work, and I handled the connection exception through this method...

    try:
        _r = requests.post(
            'https://' + _host['fqdn'] + '/api/v1.0/system/settings/restart-httpd/',
            auth=(_host['user'], _host['password']),
            verify=verify,
        )

    except requests.exceptions.ConnectionError:
        _flag = True

Confirmed working - apologies again for the mix up.

Also available in: Atom PDF