Looking for some ideas for automating cert renewal in my situation.
I am using a "management" server, Docker container for certbot, and DNS / Route 53 authentication. The certificates are generated and copied up to AWS Secrets for dissemination to a number of different servers. These servers configure themselves by pulling the certs down and saving locally, etc, etc. The management server generates certificates for more than one domain.
The management server is running the renew command, and it is working great. And, given there is a --deploy-hook option would allow for a script to run to deploy the newly generated certs to the AWS Secrets. However, is my only option to walk through the various certificates to see which one was renewed? There is a log generated, and the output is readable for a human, but is it possible to somehow have certbot return results in JSON format where code and read it a little easier and so it is more explicitly told what to do?
That's a very nice description and I feel kind of bad about saying rtm but
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. Unless --disable-
hook-validation is used, the command’s first word must
be the absolute pathname of an executable or one found
via the PATH environment variable. For this command,
the shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.comwww.example.com") (default: None)
If you can't simply copy all the certs each time any cert is renewed...
Then you could separate the renewals and call each cert to renew individually:
certbot renew --cert-name "first-cert"
certbot renew --cert-name "second-cert"
certbot renew --cert-name "..."
And either:
add the explicit deploy hook for each cert
OR
let certbot use the already defined deploy hook
Otherwise, you will have to rely on system date/time comparisons OR certbot variables [which I'm not too familiar with] to show which cert has been renewed [recently].
I always try to choose the most surefire method - so that, no matter what, it will always work.
So, I would likely do the separate renewals and custom deploy hooks.
But I'm sure there are "better"/"simpler" methods out there - LOL
If the hook isn't a shell script, one can more generally say that these are "environment variables" provided by Certbot—without the dollar sign at the beginning. It might be clearer overall if the documentation said that.
(All environment variables are accessible as shell variables, but not all shell variables are accessible as environment variables.)
For example, I'm currently writing a deploy-hook script that uses Python's os.environ["RENEWED_LINEAGE"] to access this information.
I'd suggest that subscribing servers should poll their individual AWS secrets and check the metadata on them to see when they were last updated, then pull the cert etc if required.
Alternatively you could push renewal info to any script/webhook etc of your choice to trigger notifications of services, as well as pushing to AWS secrets. You'd need a mapping between cert domains and services to notify.