Hello.
So, I've installed certbot some time ago and I'm trying to find a bash script to copy fullchain.pem and privkey.pem to another location, chown them and reload the application running it, but only when the renewed domain/subdomain matches, like when I renew sub.domain.tld
I've searched a bit on the internet but I don't seem to find what I'm looking for
Any help would be greatly appreciated
Thanks in advance
See the certbot documentation about renewing for information about the --deploy-hook command. That's what you're looking for.
You'd still need to script the copy/chowning yourself, bt that shouldn't be too hard.
You'll find more info about --deploy-hook at the end of the documentation page (command line options), such as the $RENEWED_LINEAGE variable. Why that information isn't available in the general text earlier on in the documentation is a mystery to me though.
I'm looking for a script of some sort to put inside the deploy folder and it would be executed after each successful renewal. Is that possible?
I'm not very familiar with bash and all of that, so if someone could point me an example of a script, I'd be very grateful.
I'll try to explain the steps I need with more detail:
/etc/letsencrypt/live/irc.ptirc.org/fullchain.pem and /etc/letsencrypt/live/irc.ptirc.org/privkey.pem to /home/ircd/unrealircd/tls/
chown unrealircd:unrealircd /home/ircd/unrealircd/tls/fullchain.pem and chown unrealircd:unrealircd /home/ircd/unrealircd/tls/privkey.pem
/home/ircd/unrealircd/unrealircd reloadtls and /home/ircd/unrealircd/unrealircd rehash
TIA
Hello @Exterminador,
Create the script deploy-irc in dir /etc/letsencrypt/renewal-hooks/deploy/ with the following content:
#!/usr/bin/env bash
domain="irc.ptirc.org"
if grep "${domain}" <<< "$RENEWED_LINEAGE" ; then
cp /etc/letsencrypt/live/${domain}/{fullchain,privkey}.pem /home/ircd/unrealircd/tls/
chown unrealircd:unrealircd /home/ircd/unrealircd/tls/{fullchain,privkey}.pem
/home/ircd/unrealircd/unrealircd reloadtls
/home/ircd/unrealircd/unrealircd rehash
fi
and once saved, give it execution perms:
chmod 750 /etc/letsencrypt/renewal-hooks/deploy/deploy-irc
I didn't test the script so use it at your own risk 
Cheers,
sahsanu
Would a symbolic link work for you?
Although I'm a bit new to bash and all of that, I was wondering if we could check if the domain is the one being renewed in some other way?
something like:
SUBDOMAIN="irc.ptirc.org"
if [[$RENEWED_LINEAGE == *"$SUBDOMAIN"*]]; then
....
What do you mean by symlink?
Something like:
ln -s /etc/letsencrypt/live/irc.ptirc.org/fullchain.pem /home/ircd/unrealircd/tls/fullchain.pem
You can write the script in very different ways, I always try to avoid the use of wildcards because could complicate things but if you want to use it remember to write a space after [ and before ]
SUBDOMAIN="irc.ptirc.org"
if [[ "$RENEWED_LINEAGE" = *"$SUBDOMAIN"* ]]; then
I should thank @sahsanu for all the help.
Since I'm pretty "green" in things related to bash scripts, with his tips I've came with the following deploy_irc script:
#!/usr/bin/env bash
SUBDOMAIN="irc.ptirc.org"
TLS="/home/ircd/unrealircd/conf/tls/"
if [[ $RENEWED_LINEAGE == *"$SUBDOMAIN"* ]]; then
cp "${RENEWED_LINEAGE}/fullchain.pem" "$TLS"
cp "${RENEWED_LINEAGE}/privkey.pem" "$TLS"
chown ircd:ircd "${TLS}/fullchain.pem"
chown ircd:ircd "${TLS}/privkey.pem"
/home/unrealircd/unrealircd/unrealircd reloadtls
/home/unrealircd/unrealircd/unrealircd rehash
fi
This worked like a charm! Thanks a lot for all the help!
After discussing my shell script with some bash gurus on IRC, I've made a better script, that should run anywhere POSIX shells are available.
#!/bin/sh
# NOTE: This scripts was made to work with certbot. I don't guarantee it will
# work with other ACME clients.
#
# This was tested in Ubuntu 20.04. This should work as it is on
# Debian/Ubuntu based distros. For other distros please check Certbot
# documentation.
#
# Place this script inside /etc/letsencrypt/renewal-hooks/deploy/ and
# name it `deploy_irc'
#
# Make the script executable with:
#
# chmod +x /etc/letsencrypt/renewal-hooks/deploy/deploy_irc
#
# Edit the subdomain, user and paths to fit your setup.
# Enjoy!
# What's your subdomain?
subdomain=irc.domain.tld
# What is the shell user running UnrealIRCd?
user=ircd
# What is the shell group of the user running UnrealIRCd?
# Usually it's the same as the user specified above.
# You shouldn't have to edit this unless you've added the user to another group
group=$user
# Path to UnrealIRCd executable folder
# Usually "/home/<user>/unrealircd/" when installed normally
execdir=/home/$user/unrealircd
# Path to the UnrealIRCd tls folder
# Usually `/home/<user>/unrealircd/conf/tls' when installed normally
# You shouldn't have to edit this unless you've customised your installation
tlsdir=$execdir/conf/tls
# Don't edit anything below unless you know exactly what you're doing.
# If you touch the code below and then complain the script "suddenly stopped working" I'll touch you at night.
case $RENEWED_LINEAGE in
*/"$subdomain")
cp -f -- "$RENEWED_LINEAGE"/fullchain.pem "$RENEWED_LINEAGE"/privkey.pem "$tlsdir" &&
chown -- "$user":"$group" "$tlsdir"/fullchain.pem "$tlsdir"/privkey.pem &&
"$execdir"/unrealircd reloadtls &&
"$execdir"/unrealircd rehash
esac
Hope this helps anyone else. 
Nice script!
Do note though that your search parameter *"$subdomain"* will match all lineages containing your hostname.
So if you, for some reason, would develop an IRC statistics site with the hostname stats.irc.domain.tld, it would be matched and overwrite the files in $tlsdir.
I'm not sure what the best matching method is other than what you're using now, as the path in $RENEWED_LINEAGE can be customised by the user. So just removing the /etc/letsencrypt/live/ part isn't enough. Unless you accept that the script is only useful for certificates from within the default certbot paths.
In this case, this is exactly for one specific subdomain, like the one I have which is irc.ptirc.org.
I'm not a specialist in shell scripting and therefore I don't know if we can change *"$subdomain"* to "$subdomain".
Cheers
You can't but you could change it to */"$subdomain"
Or in this case, to the more appropriate */"$subdomain"* string
I've edited the script in the topic and also my GitHub gist
If you aren't duplicating certificates you shouldn't need the last wildcard.
Edited accordingly 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.