Acme.sh does not execute post hooks

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: trustserv.de

I ran this command: none, the cronjob ran the acme.sh

It produced this output:
see post hook ignored · Issue #3391 · acmesh-official/acme.sh · GitHub

My web server is (include version):
Apache2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh, latest

as mentioned in that bug report, i would assume that post hooks are executed, but they are not.
after i got that certificate, i have to manually restart apache2, dovecot, postfix, ... because the post hook is somehow ignored.
i dont understand the dev - i dont know what he means with "global", its one cert with about 10 subdomains.
unfortunately, he closed the ticket before asking anything so i guess he will never see my response. so i ask here, maybe someone can help me, thanks!

1 Like

Welcome Back to the Let's Encrypt Community :slightly_smiling_face:

3 Likes

did not know that neilpang is also here registered :wink:
thanks for that fast message, maybe anyone else also uses post hooks and have an idea about that
dont want to waste the dev's time because of a config problem

2 Likes

I'm not too familiar with acme.sh, so I figured I'd get the call started. If someone else can answer before then, fantastic! :upside_down_face:

2 Likes

The cronjob you created (not the default one created by acme.sh), with incorrect syntax, didn't work properly. No surprise. The --post-hook is to be used when you initially issue the cert (as explained at the link he intended to give: Create new page · acmesh-official/acme.sh Wiki · GitHub). It should not be used with --cron. Using --cron will renew any cert that's due for renewal.

3 Likes

Thanks for helping with this, @danb35. I'd give you a like, but I'm out right now. :sparkling_heart:

2 Likes

thanks, but i created the certs initially without any hook. can i somehow add this now to the acme.sh?

i usually start (more or less complex things) step by step. that means: first issue a simple certificate, then issue a certificate with one subdomain, see if it works... continue until everything works with that, then add the next subdomain. last step, make everything automatic.

2 Likes

You can edit the conf file for your domain and replace the variable Le_PostHook='' with one with your command/commands but this line must be in a special format.

Based on the issue you raised on Github, your certhome is /etc/acme/ and your fake domain is mydomain.de so your conf file is /etc/acme/mydomain.de/mydomain.de.conf and the command you want to launch in post hook is systemctl restart apache2 postfix dovecot (I would use reload instead of restart but...)

First execute this command:

echo "Le_PostHook='__ACME_BASE64__START_$(echo -n 'systemctl restart apache2 postfix dovecot' | openssl base64 -e)__ACME_BASE64__END_'"

And you will get this output:
Le_PostHook='__ACME_BASE64__START_c3lzdGVtY3RsIHJlc3RhcnQgYXBhY2hlMiBwb3N0Zml4IGRvdmVjb3Q=__ACME_BASE64__END_'

Edit the conf file /etc/acme/mydomain.de/mydomain.de.conf and replace Le_PostHook='' with the above line, save the conf file and you are done.

Cheers,
sahsanu

2 Likes

By the way, I would use reloadcmd instead of posthook so in your case, if you are not installing your certs to any other dir, this command will have the same effect, restart your services once you get a certificate for your domain.

/root/.acme.sh/acme.sh --install-cert -d mydomain.de --reloadcmd "systemctl restart apache2 postfix dovecot" --cert-home /etc/acme

Note: Keep in mind I recommend the use of reload instead of restart.

4 Likes

i will try this, thanks!

can you tell me why reloadcmd is better than posthook? does it have some negative impact when using posthook instead reloadcmd?

i modified the crontab now to:
23 2 * * * /root/.acme.sh/acme.sh --cron --home "/root/.acme.sh" --cert-home /etc/acme --reloadcmd "systemctl restart apache2 postfix dovecot"

if it again makes problems i report back here - again, thanks! :slight_smile:

edit: Add reloadcmd support for cron flag. by hexfusion · Pull Request #1814 · acmesh-official/acme.sh · GitHub
seems like this does also not work with --cron
so guess the easiest way is to just add the posthook in the .conf, right?

2 Likes

Because posthook runs after attempting to issue a certificate and reloadcmd runs after successfully installing certificates.

Correct, it won't work if you put in your crontab job.

Yes, or even easier, use the command I wrote in previous post to use reloadcmd.

Cheers,
sahsanu

2 Likes

but i have about 10 subdomains, that would mean i have to do something like:
/root/.acme.sh/acme.sh --install-cert -d mydomain.de -d www.mydomain.de -d mta-sts.mydomain.de -d [all other subdomains...] --reloadcmd "systemctl restart apache2 postfix dovecot" --cert-home /etc/acme

correct?

1 Like

No, the --install-cert command must contain only one -d parameter with the name of your cert. The name of your cert is the name of the dir that contains your cert; /etc/acme/mydomain.de, /etc/acme/otherdomain.com, etc.

2 Likes

thanks, i executed that command and it took about 10 seconds. it was printing it executes the reloadcmd whats a bit strange, because i did not get a new certificate - i got a new one yesterday.

2 Likes

I forgot to mention that it executes the reloadcmd when you configure it (what you did right now). From now on it will only be executed when renewing the certs. Remember to left the entry in crontab as it was originally, without --post-hook nor --reloadcmd parameters.

2 Likes

the cron job in /var/spool/cron/crontabs/root contains
23 2 * * * /root/.acme.sh/acme.sh --cron --home "/root/.acme.sh" --cert-home /etc/acme

but whenever i run this command: /root/.acme.sh/acme.sh --install-cert -d mydomain.de --reloadcmd "systemctl restart apache2 postfix dovecot" --cert-home /etc/acme --debug

i get the following output:

[Fr 5. Feb 19:35:44 CET 2021] Lets find script dir.
[Fr 5. Feb 19:35:44 CET 2021] _SCRIPT_='/root/.acme.sh/acme.sh'
[Fr 5. Feb 19:35:44 CET 2021] _script='/root/.acme.sh/acme.sh'
[Fr 5. Feb 19:35:44 CET 2021] _script_home='/root/.acme.sh'
[Fr 5. Feb 19:35:44 CET 2021] Using default home:/root/.acme.sh
[Fr 5. Feb 19:35:44 CET 2021] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v2.8.9
[Fr 5. Feb 19:35:44 CET 2021] Running cmd: installcert
[Fr 5. Feb 19:35:44 CET 2021] Using config home:/root/.acme.sh
[Fr 5. Feb 19:35:44 CET 2021] default_acme_server
[Fr 5. Feb 19:35:44 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fr 5. Feb 19:35:44 CET 2021] DOMAIN_PATH='/etc/acme/mydomain.de'
[Fr 5. Feb 19:35:44 CET 2021] Run reload cmd: systemctl restart apache2 postfix dovecot
[Fr 5. Feb 19:35:54 CET 2021] Reload success

it seems to me that this command is always executed, even when there is no new certificate

or do i have to run this only once and now the --cron knows how to handle that?
this is a wild magic thing then... which makes it pretty complicated

1 Like

That command must be used only once per certificate, as you did it with your cert you don't need to execute it again and again.

It is not magic, that command adds the right variable with the right content in your certificate conf and cron command will read that conf file so as I said, you donn't need to execute the command more than once.

1 Like

ok thanks, so --install-cert does not mean "i install/deploy that certificate" but means: i install some configuration stuff that has to do with that account/domain and the next time acme.sh runs those values are used.

thanks for clarification! maybe its because of missing english skills, was just a bit confusing to me

2 Likes

It means both, install/deploy the certificate and execute the comand the first time I execute it AND save those options in the certificate conf so cron will use those parameters when renewing the cert.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.