Certbot - List of Managed Certificates After Renewals


#1

Hi. My server renew all certificates, and I have to get a list of “new” certificates, in order to send them to right servers ( yes, certificates and servers are not stored at same server).

But how can I get new certificates list? (another way then a ugly egrep ‘(hostname (success)’ logfile )

thanks a lot


#2

/var/log/certbot-renew.log ???


#3

Assuming you’re using Certbot, there’s a --renew-hook option that passes environment variables RENEWED_LINEAGE and RENEWED_DOMAINS to the command or script you specify. See certbot --help renew for more detail. You could do the copying to different servers from within such a script, or just save the list of domains for later use.


#4

Yes, I use cerbot and I should copy new certs to other servers. So I’ve to know, Which one to copy after midnight auto renewal.
I’ll take a look for RENEWED_LINEAGE and RENEWED_DOMAINS. thanks


#5

Hi @immanens

certbot certificates

Andrei


Certbot - List Certificates Issued
#6

I think RENEWED_LINEAGE and RENEWED_DOMAINS are more useful for scripting here. With certbot certificates you would have to do some further parsing to figure out what changed, but Certbot is already willing to tell the hook script what changed directly with the RENEWED_ variables.


#7

I tried to echo RENEWED_ in a hook script such like this
/usr/local/sbin/certbot-auto renew --dry-run --renew-hook /usr/local/bin/certbot_hook.sh
but hook is not called in try run mode, and I don’t have hostname to renew in my pocket

Dry run: skipping renewal hook command: /root/bin/certbot_hook.sh

is there anyway to test hook option and to get those variables?


#8

I don’t think Certbot offers a way to test hooks without performing an actual renewal. If you’re familiar with Python programming, you could edit the code to change the dry run behavior so that it does run hooks.


#9

You may find the --force-renewal option useful, which will cause certificates to be renewed regardless of whether they are near expiry.

(Just be careful of the rate limits!)


#10

OK. I successfully called a hook script like this
/usr/local/sbin/certbot-auto renew --renew-hook “bash /root/bin/certbot_hook.sh” > /var/log/certbot.log
not sure that “bash …” is necessary.
and the hook script is like this:
#!/bin/bash
DATE=date +"%Y%m%d-%H-%m"
BASE_CERTS_DIR="/etc/letsencrypt/archive"
CERTFILE=ls -Art $BASE_CERTS_DIR/$RENEWED_DOMAINS/cert* | tail -n 1
KEYFILE=ls -Art $BASE_CERTS_DIR/$RENEWED_DOMAINS/privkey* | tail -n 1
bash /usr/local/sbin/ssl.sh renew $RENEWED_DOMAINS $CERTFILE $KEYFILE
echo $RENEWED_DOMAINS “$DATE” >> /var/log/renew.log

ssl.sh is a homemade script who uses aws cli to update ELB certificates. I figured that I might use env variable to get certificate path … ok I’ll update that later, thanks for your helps. hope this can help someone else.
regards.


#11

You might want to be careful that your scripts apparently don’t mention the chain file anywhere. If Let’s Encrypt changes which intermediate it issues under (which has happened once so far), you’ll have a chain mismatch on ELB.

I speculate this is likely to happen about once every 2-3 years, but it’s nice to be prepared. :slight_smile:


#12

Hi,

Why would you even want to know if certs are renewed before copying it?
You can overwrite cert files while they are loaded and everything will be fine. They will be reloaded after server restarts, or reloads.

Just copy them once every week to their destinations. Make a script or somekind of sync.

Best regards,
Marijan


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.