Certbot + post hook + vsftpd

RedHat 8.5
vsftpd-3.0.3-34.el8.x86_64
certbot 1.28.0

certbot-renewal.service shows:-
ExecStart=/usr/bin/certbot renew --post-hook systemctl restart vsftpd (code=exited, status=0/SUCCESS)

but vsftpd service wasn't restarted.

letsencrypt.log for the renewal shows:-

-----END CERTIFICATE-----

2022-05-09 20:05:15,614:DEBUG:acme.client:Storing nonce: 0102-qgV2d6GFzyavgSP61f88vCthK3RMQ2-1kWyvQw4WGI
2022-05-09 20:05:15,616:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/REDACTED/privkey2.pem.
2022-05-09 20:05:15,616:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/REDACTED/cert2.pem.
2022-05-09 20:05:15,616:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/REDACTED/chain2.pem.
2022-05-09 20:05:15,616:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/REDACTED/fullchain2.pem.
2022-05-09 20:05:15,630:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/REDACTED.conf.new.
2022-05-09 20:05:15,632:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2022-05-09 20:05:15,632:DEBUG:certbot._internal.display.obj:Notifying user:


2022-05-09 20:05:15,632:DEBUG:certbot._internal.display.obj:Notifying user: Congratulations, all renewals succeeded:
2022-05-09 20:05:15,632:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/REDACTED/fullchain.pem (success)
2022-05-09 20:05:15,633:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-05-09 20:05:15,633:DEBUG:certbot._internal.renewal:no renewal failures

########

FOR COMPARISON, when configured to restart postfix instead of vsftpd the post hook runs as expected:-
-----END CERTIFICATE-----

2022-05-13 10:42:59,235:DEBUG:acme.client:Storing nonce: 0101MPketGIYdcaEtevTGG70XDD0K43xAJuW_iYYF2dBOo4
2022-05-13 10:42:59,236:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/REDACTED/privkey6.pem.
2022-05-13 10:42:59,236:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/REDACTED/cert6.pem.
2022-05-13 10:42:59,237:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/REDACTED/chain6.pem.
2022-05-13 10:42:59,237:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/REDACTED/fullchain6.pem.
2022-05-13 10:42:59,246:DEBUG:certbot._internal.cli:Var post_hook=systemctl restart postfix (set by user).
2022-05-13 10:42:59,247:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/REDACTED.conf.new.
2022-05-13 10:42:59,248:DEBUG:certbot.display.util:Notifying user: new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/REDACTED/fullchain.pem
2022-05-13 10:42:59,249:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2022-05-13 10:42:59,250:DEBUG:certbot.display.util:Notifying user:


2022-05-13 10:42:59,250:DEBUG:certbot.display.util:Notifying user: Congratulations, all renewals succeeded:
2022-05-13 10:42:59,250:DEBUG:certbot.display.util:Notifying user: /etc/letsencrypt/live/REDACTED/fullchain.pem (success)
2022-05-13 10:42:59,250:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-05-13 10:42:59,250:DEBUG:certbot._internal.renewal:no renewal failures
2022-05-13 10:42:59,250:INFO:certbot.compat.misc:Running post-hook command: systemctl restart postfix

so the post hook calls can be seen in the logs when configured to restart postfix, but not when configured to restart vsftpd

what's going on?

1 Like

Hi @g-spencer, and welcome to the LE community forum :slight_smile:

Perhaps the "exited successful" messages are misleading.
Certbot won't actually renew every time it is called - only when a cert is near enough to expiry.
So... it might just be saying that it tried to renew successfully, but actually didn't need to at all.
Thus the "post-hook" isn't required [because the cert remains the same/unchanged].
Which means it doesn't match your manual "pre-hook" that has (unnecessarily) turned vsftpd off before the renewal test.

But I could be wrong... It could be Tuesday - LOL

5 Likes

Hi, thanks RG,
yes we are aware the post hook will intentionally only get called when a renewal takes place.
you can see from the log extract the cert is renewed and then post hook for vsftpd is noticeably absent from the log, whereas when configured to restart postfix that includes the post hook entries in the log.

currently we find we need to restart vsftpd outside of the automated renewals process, but this should all be programmatically achieved.

ta,

2 Likes

I see (that now).

I'd try calling a bash type script that contains the restart.

6 Likes

thanks Rudy,
I may give that a go, but this is a production system (so alas I can't restart services on a whim), so will have to wait for natural ticket expiry which is a couple of month's hence, so this ticket will expire before I have confirmation.
I just wondered if this was 'just me' or whether a known issue with vsftpd cert renewals and certbot.
ta.

2 Likes

Modifying the renewal job shouldn't require a service restart (or any restart).

5 Likes

Hi Rudy, no what I'm saying is I won't know if any proposed solution 'fixes' the issue until the next scheduled TLS cert renewal.

thanks, anyway

2 Likes

Can't you test hooks using ?

sudo certbot renew --dry-run

I usually create a shell script as the hook and then do my own logging and commands in each script.

The --dry-run uses the Let's Encrypt test system and won't overwrite your live certs

6 Likes

thanks, Mike, looks like a script in the post hook maybe the way to go, cheers

3 Likes

I have changed the post hook to use a script as suggested.
The actual renewal should kick in in less than a month, so I'll place an update here then.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.