Certbot 1.12 messes up config file after renewal

I observed a strange behavior after updating from 1.11 to 1.12.

I have a particular setup where a single certbot server issue and renews certifcates then deploy them via an ansible script.

In /etc/certbot/renewal/example.com.conf I have this row:

renew_hook = /usr/local/bin/ansible-update-le-cert example.com,

First arg is the domain, second arg is the list of internal servers subjected to certificate updates.
When a renewal is triggered, the script is executed and after execution the line in
/etc/certbot/renewal/example.com.conf is rewritten as:

renew_hook = /usr/local/bin/ansible-update-le-cert example.com,

a space is added from the second arg and from next renewal the script fails.

With certbot 1.11 (on CentOS 7) this don't happen.

As workaround I can obviously modify my script in order to accept args in another way, but I think is right to report thi misbehavior.


Thanks for the notice but this is probably best reported on the github for Certbot

I doubt it will get high priority though. Certbot 1.12 came out over 2 years ago so anyone else affected would have resolved it already.


@rbicelli I edited your post to add backticks so those lines would be more readable.


I've tried to reproduce your issue using Certbot 1.11.0 and 1.12.0 in a venv using pip and I can't reproduce it.

When I issue a certificate with --deploy-hook "/tmp/ansible-update-le-cert example.com," and renew it with both 1.11.0 and 1.12.0, the renewal configuration file still says:

renew_hook = "/tmp/ansible-update-le-cert example.com,"

Nothing changed.

So I don't know what exactly causes your extra space, but it's not simply 1.12.0 using regular renewals and regular --deploy-hook commands.

Steps to reproduce the above which doesn't reproduce this issue:

python -m venv cert-test
cd cert-test/
source bin/activate
pip install certbot==1.11.0
mkdir meuk
pip install acme==1.11.0
pip install "pyopenssl==23.1.0"
certbot certonly --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --server https://localhost:14000/dir --no-verify-ssl --register-unsafely-without-email --agree-tos -d example.com --webroot -w /tmp/ --deploy-hook "/tmp/ansible-update-le-cert example.com,"
cat meuk/renewal/example.com.conf 
certbot renew --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --no-verify-ssl --force-renewal
cat meuk/renewal/example.com.conf 
pip install certbot==1.12.0
pip install acme==1.12.0
certbot renew --config-dir ./meuk/ --logs-dir ./meuk/ --work-dir ./meuk/ --no-verify-ssl --force-renewal
cat meuk/renewal/example.com.conf 

maybe the whole command double-quoted after renew_hook = is the culprit?

How do you mean? As in, you didn't use double quotes and I did?

If I don't have double quotes around the command in my renewal conf, Certbot fails with an error "Failed to renew certificate example.com with error: unhashable type: 'list'".. Are you sure you don't have quotes?


Yes I'm sure, no quotes in my config file. Maybe is for that reason.
Will try with quotes.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.