Merge pull request #3585 from bunkerity/dev

Author: TheophileDiot

.github/workflows/container-build.yml

@@ -130,7 +130,7 @@ jobs:
       # Check vulnerabilities with Docker Scout
       - name: Docker Scout CVE Analysis
         if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
-        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1.20.4
+        uses: docker/scout-action@cd72f264beff1cd72735de31148b9d3244a0234a # v1.21.0
         with:
           command: cves,recommendations
           image: local/${{ inputs.IMAGE }}

.github/workflows/push-packagecloud.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install ruby
-        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: "3.0"
       - name: Install packagecloud

CHANGELOG.md

@@ -1,6 +1,13 @@
 # Changelog
 
-## v1.6.10
+## v1.6.11~rc1 - ????/??/??
+
+- [BUGFIX] `letsencrypt` (core): fix self-propagating cache poisoning that caused fleet-wide `certbot AccountNotFound`; add CA-agnostic consistency gate (LE + ZeroSSL paths), server-scoped `select_account_id`, redacted-value `Configurator` WARN logs.
+- [SECURITY] `letsencrypt` (UI): harden delete + new heal flow — per-request scratch dir, `fcntl.flock`, `.`/`..` rejected in `cert_name`, DOMPurify + `markupsafe.escape` at every HTML sink, 500 on persistence failure; new `/letsencrypt/{orphans,accounts,cache-status,heal}` endpoints, per-row Heal button, sidebar orphan toast.
+- [FEATURE] `scheduler`: new `SCHEDULER_MAX_WORKERS` env var caps the job-executor thread pool to bound DB-pool pressure on shared MariaDB/MySQL/PostgreSQL; auto default tightened from `min(8, cpu*4)` to `min(8, max(2, cpu*2))` and a warning is emitted when the resolved value exceeds `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW`.
+- [SECURITY] `linux`: `after-remove` hooks now preserve `/var/log/bunkerweb`, `/etc/bunkerweb`, `/var/lib/bunkerweb` and `/var/tmp` upgrade backups on plain uninstall (only purge wipes configs + DB; logs and backups always kept, disposal commands printed); upgrade backups are written via `install -m 0600 -o root -g root` (atomic) and any pre-existing world-readable backups are retro-tightened, closing a local-read window on admin credentials and the SQLite DB.
+
+## v1.6.10 - 2026/05/19
 
 - [SECURITY] `nginx` : update nginx to 1.30.1 to fix various CVEs
 - [BUGFIX] `reverseproxy`: pin a `USE_UI=yes` service upstream to HTTP/1.1 so a global `REVERSE_PROXY_HTTP_VERSION=2` no longer locks out the web UI. (Fixes #3550)

docs/de/integrations.md

@@ -1777,6 +1777,7 @@ Der Scheduler ist der Control-Plane-Worker, der Einstellungen liest, Konfigurati
 | `DISABLE_CONFIGURATION_TESTING` | Konfigtests vor dem Anwenden überspringen                                | `yes` oder `no`                                 | `no`                                  |
 | `IGNORE_FAIL_SENDING_CONFIG`    | Fortfahren, auch wenn einige Instanzen keine Konfig erhalten             | `yes` oder `no`                                 | `no`                                  |
 | `IGNORE_REGEX_CHECK`            | Regex-Validierung für Einstellungen überspringen (geteilt mit Autoconf)  | `yes` oder `no`                                 | `no`                                  |
+| `SCHEDULER_MAX_WORKERS`         | Maximale Anzahl an Worker-Threads im Job-Executor des Schedulers. Jeder laufende Thread kann eine DB-Verbindung halten, was die DB-Pool-Belastung auf Scheduler-Seite begrenzt. Beim Start wird eine Warnung ausgegeben, wenn der ermittelte Wert `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW` überschreitet. | Positive Ganzzahl                               | `min(8, max(2, cpu_count*2))`         |
 | `TZ`                            | Zeitzone für Scheduler-Logs, Cron-ähnliche Jobs, Backups und Zeitstempel | TZ-Datenbank-Name (z. B. `UTC`, `Europe/Paris`) | unset (Container-Standard, meist UTC) |
 
 ##### Datenbank

docs/es/integrations.md

@@ -1778,6 +1778,7 @@ El programador es el worker del plano de control que lee configuraciones, genera
 | `DISABLE_CONFIGURATION_TESTING` | Saltar pruebas de configuración antes de aplicar                                   | `yes` o `no`                                  | `no`                                         |
 | `IGNORE_FAIL_SENDING_CONFIG`    | Continuar incluso si algunas instancias no reciben la configuración                | `yes` o `no`                                  | `no`                                         |
 | `IGNORE_REGEX_CHECK`            | Omitir validación regex de configuraciones (compartido con autoconf)               | `yes` o `no`                                  | `no`                                         |
+| `SCHEDULER_MAX_WORKERS`         | Número máximo de hilos en el ejecutor de jobs del Scheduler. Cada hilo activo puede mantener una conexión a la BD, limitando la presión sobre el pool desde el Scheduler. Al iniciar se emite una advertencia si el valor resuelto supera `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW`. | Entero positivo                               | `min(8, max(2, cpu_count*2))`                |
 | `TZ`                            | Zona horaria para logs del programador, jobs tipo cron, backups y marcas de tiempo | Nombre en base TZ (ej. `UTC`, `Europe/Paris`) | unset (default de contenedor, suele ser UTC) |
 
 ##### Base de datos

docs/fr/integrations.md

@@ -1786,6 +1786,7 @@ Le Scheduler est le worker du plan de contrôle qui lit les paramètres, rend le
 | `DISABLE_CONFIGURATION_TESTING` | Sauter les tests de configuration avant application                               | `yes` ou `no`                              | `no`                                       |
 | `IGNORE_FAIL_SENDING_CONFIG`    | Continuer même si certaines instances ne reçoivent pas la config                  | `yes` ou `no`                              | `no`                                       |
 | `IGNORE_REGEX_CHECK`            | Ignorer la validation regex des paramètres (partagé avec autoconf)                | `yes` ou `no`                              | `no`                                       |
+| `SCHEDULER_MAX_WORKERS`         | Nombre maximal de threads dans l'exécuteur de jobs du Scheduler. Chaque thread peut détenir une connexion DB, ce qui borne la pression sur le pool côté Scheduler. Un avertissement est émis au démarrage si la valeur résolue dépasse `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW`. | Entier positif                             | `min(8, max(2, cpu_count*2))`              |
 | `TZ`                            | Fuseau horaire pour les logs du Scheduler, tâches type cron, sauvegardes et dates | Nom de base TZ (ex. `UTC`, `Europe/Paris`) | unset (défaut conteneur, généralement UTC) |
 
 ##### Base de données

docs/integrations.md

@@ -1792,6 +1792,7 @@ The scheduler is the control-plane worker that reads settings, renders configs,
 | `DISABLE_CONFIGURATION_TESTING` | Skip config tests before applying                                     | `yes` or `no`                                  | `no`                                   |
 | `IGNORE_FAIL_SENDING_CONFIG`    | Proceed even if some instances fail to receive a config               | `yes` or `no`                                  | `no`                                   |
 | `IGNORE_REGEX_CHECK`            | Skip regex validation for settings (shared with autoconf)             | `yes` or `no`                                  | `no`                                   |
+| `SCHEDULER_MAX_WORKERS`         | Max worker threads in the scheduler's job executor. Each running thread can hold one DB connection, so this caps scheduler-side DB-pool pressure. A startup warning is emitted if the resolved value exceeds `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW`. | Positive integer                               | `min(8, max(2, cpu_count*2))`          |
 | `TZ`                            | Time zone for scheduler logs, cron-like jobs, backups, and timestamps | TZ database name (e.g., `UTC`, `Europe/Paris`) | unset (container default, usually UTC) |
 
 ##### Database

docs/zh/integrations.md

@@ -1777,6 +1777,7 @@ volumes:
 | `DISABLE_CONFIGURATION_TESTING` | 应用前跳过配置测试                               | `yes` 或 `no`                           | `no`                          |
 | `IGNORE_FAIL_SENDING_CONFIG`    | 即便部分实例未收到配置也继续                     | `yes` 或 `no`                           | `no`                          |
 | `IGNORE_REGEX_CHECK`            | 跳过设置的正则校验（与 autoconf 共享）           | `yes` 或 `no`                           | `no`                          |
+| `SCHEDULER_MAX_WORKERS`         | 调度器作业执行器的最大工作线程数。每个运行线程可占用一个数据库连接，从而限制调度器侧的连接池压力。若解析值超过 `DATABASE_POOL_SIZE` + `DATABASE_POOL_MAX_OVERFLOW`，启动时会输出警告。 | 正整数                                  | `min(8, max(2, cpu_count*2))` |
 | `TZ`                            | 调度器日志、类 cron 任务、备份和时间戳使用的时区 | TZ 数据库名（如 `UTC`、`Europe/Paris`） | unset（容器默认，通常为 UTC） |
 
 ##### 数据库

src/common/core/letsencrypt/jobs/certbot-new.py

@@ -80,6 +80,7 @@
     ZEROSSL_BOT_SCRIPT,
     build_certbot_env,
     get_expected_acme_directory,
+    letsencrypt_cache_consistent,
     prepare_logs_dir,
     resolve_certbot_entrypoint,
 )
@@ -724,8 +725,19 @@ def certbot_new(
     else:
         command.append("--register-unsafely-without-email")
 
+    # Always scope account lookup to the target ACME server's URL.
+    # Without this, an LE account id can be passed as `--account` to a ZeroSSL
+    # certbot certonly invocation (and vice versa) — certbot then constructs the
+    # account directory from its own --server path and fails with AccountNotFound.
+    acme_server_url = str(config.get("acme_server_url") or "")
+
     if config.get("acme_server") == "letsencrypt":
-        account_id = select_account_id(paths.config_dir.joinpath("accounts"), bool(config["staging"]), str(config.get("email") or ""))
+        account_id = select_account_id(
+            paths.config_dir.joinpath("accounts"),
+            bool(config["staging"]),
+            str(config.get("email") or ""),
+            server_url=acme_server_url,
+        )
         if account_id:
             command.extend(["--account", account_id])
     else:
@@ -744,7 +756,12 @@ def certbot_new(
         if zerossl_api_key:
             cmd_env["LETS_ENCRYPT_ZEROSSL_API_KEY"] = zerossl_api_key
 
-        account_id = select_account_id(paths.config_dir.joinpath("accounts"), bool(config["staging"]), str(config.get("email") or ""))
+        account_id = select_account_id(
+            paths.config_dir.joinpath("accounts"),
+            bool(config["staging"]),
+            str(config.get("email") or ""),
+            server_url=acme_server_url,
+        )
         if account_id:
             command.extend(["--account", account_id])
 
@@ -1156,11 +1173,25 @@ def generate_certificate(service: str, config: Dict[str, Union[str, bool, int, D
         elif not DATA_PATH.is_dir() or not any(DATA_PATH.glob("live/*/fullchain.pem")):
             LOGGER.warning("Skipping db cache update: no live certificates found under DATA_PATH/live/*/fullchain.pem.")
         else:
-            cached, err = JOB.cache_dir(DATA_PATH)
-            if not cached:
-                LOGGER.error(f"Error while saving data to db cache : {err}")
+            # Refuse to re-cache when renewal/ references account IDs that are missing from accounts/.
+            # That snapshot would self-propagate certbot AccountNotFound errors across every renew.
+            consistent, reason = letsencrypt_cache_consistent(DATA_PATH)
+            if not consistent:
+                LOGGER.error(
+                    "Skipping db cache update to avoid persisting an inconsistent Let's Encrypt state "
+                    f"({reason}). The DB cache row is left untouched; investigate accounts/ recovery before the next renew."
+                )
+                # If certbot itself succeeded, the fresh certs are already on disk — signal a reload
+                # (ret=1) so nginx picks them up. Persistence failure is logged separately above; do
+                # not escalate to status=2 here, otherwise JobScheduler suppresses the reload.
+                if status == 0:
+                    status = 1
             else:
-                LOGGER.info("Successfully saved data to db cache")
+                cached, err = JOB.cache_dir(DATA_PATH)
+                if not cached:
+                    LOGGER.error(f"Error while saving data to db cache : {err}")
+                else:
+                    LOGGER.info("Successfully saved data to db cache")
 except SystemExit as e:
     status = e.code
 except BaseException as e:

src/common/core/letsencrypt/jobs/certbot-renew.py

@@ -23,6 +23,7 @@
     build_certbot_env,
     certbot_log_backup_flags,
     is_zerossl_used_in_env,
+    letsencrypt_cache_consistent,
     prepare_logs_dir,
     resolve_certbot_entrypoint,
 )
@@ -115,11 +116,26 @@
     elif not DATA_PATH.is_dir() or not any(DATA_PATH.glob("live/*/fullchain.pem")):
         LOGGER.warning("Skipping db cache update: no live certificates found under DATA_PATH/live/*/fullchain.pem.")
     else:
-        cached, err = JOB.cache_dir(DATA_PATH)
-        if not cached:
-            LOGGER.error(f"Error while saving Let's Encrypt data to db cache : {err}")
+        # Refuse to re-cache when renewal/ references account IDs that are missing from accounts/.
+        # That snapshot would self-propagate certbot AccountNotFound errors across every renew.
+        consistent, reason = letsencrypt_cache_consistent(DATA_PATH)
+        if not consistent:
+            LOGGER.error(
+                "Skipping db cache update to avoid persisting an inconsistent Let's Encrypt state "
+                f"({reason}). The DB cache row is left untouched; investigate accounts/ recovery before the next renew."
+            )
+            # If certbot itself succeeded, the fresh certs are already on disk — signal a reload
+            # (ret=1) so nginx picks them up. Persistence failure is logged separately above; do
+            # not escalate to status=2 here, otherwise JobScheduler suppresses the reload and the
+            # newly-renewed certs sit unused until the next restart.
+            if status == 0:
+                status = 1
         else:
-            LOGGER.info("Successfully saved Let's Encrypt data to db cache")
+            cached, err = JOB.cache_dir(DATA_PATH)
+            if not cached:
+                LOGGER.error(f"Error while saving Let's Encrypt data to db cache : {err}")
+            else:
+                LOGGER.info("Successfully saved Let's Encrypt data to db cache")
 except SystemExit as e:
     status = e.code
 except BaseException as e: