Hello,
I have a particular setup where a single certbot server issue and renews certifcates then deploy them via an ansible script.
In /etc/certbot/renewal/example.com.conf I have this row:
renew_hook = /usr/local/bin/ansible-update-le-cert example.com 192.168.1.101,192.168.1.102
First arg is the domain, second arg is the list of internal servers subjected to certificate updates./etc/certbot/renewal/example.com.conf is rewritten as:
renew_hook = /usr/local/bin/ansible-update-le-cert example.com 192.168.1.101, 192.168.1.102
a space is added from the second arg and from next renewal the script fails.
With certbot 1.11 (on CentOS 7) this don't happen.
As workaround I can obviously modify my script in order to accept args in another way, but I think is right to report thi misbehavior.
Cheers
Thanks for the notice but this is probably best reported on the github for Certbot
I doubt it will get high priority though. Certbot 1.12 came out over 2 years ago so anyone else affected would have resolved it already.
3 Likes
@rbicelli I edited your post to add backticks so those lines would be more readable.
3 Likes
Osiris
August 8, 2023, 4:37pm
4
I've tried to reproduce your issue using Certbot 1.11.0 and 1.12.0 in a venv using pip and I can't reproduce it.
When I issue a certificate with --deploy-hook "/tmp/ansible-update-le-cert example.com 192.168.1.101,192.168.1.102" and renew it with both 1.11.0 and 1.12.0, the renewal configuration file still says:
renew_hook = "/tmp/ansible-update-le-cert example.com 192.168.1.101,192.168.1.102"
Nothing changed.
So I don't know what exactly causes your extra space, but it's not simply 1.12.0 using regular renewals and regular --deploy-hook commands.
Steps to reproduce the above which doesn't reproduce this issue:
python -m venv cert-test
cd cert-test/
source bin/activate
pip install certbot==1.11.0
mkdir meuk
pip install acme==1.11.0
pip install "pyopenssl==23.1.0"
certbot certonly --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --server https://localhost:14000/dir --no-verify-ssl --register-unsafely-without-email --agree-tos -d example.com --webroot -w /tmp/ --deploy-hook "/tmp/ansible-update-le-cert example.com 192.168.1.101,192.168.1.102"
cat meuk/renewal/example.com.conf
certbot renew --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --no-verify-ssl --force-renewal
cat meuk/renewal/example.com.conf
pip install certbot==1.12.0
pip install acme==1.12.0
certbot renew --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --no-verify-ssl --force-renewal
cat meuk/renewal/example.com.conf
2 Likes
maybe the whole command double-quoted after renew_hook = is the culprit?
Osiris
August 8, 2023, 4:44pm
6
How do you mean? As in, you didn't use double quotes and I did?
If I don't have double quotes around the command in my renewal conf, Certbot fails with an error "Failed to renew certificate example.com with error: unhashable type: 'list'".. Are you sure you don't have quotes?
2 Likes
Yes I'm sure, no quotes in my config file. Maybe is for that reason.
1 Like
system
September 7, 2023, 7:31pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.