Certbot renew --pre-hook --post-hook | Unable to find pre-hook command [RESOLVED]

I am trying to use certbot to autorenew my cert.

On the server I use UFW which blocks return path communication from Let's Encrypt. To resolve that I created a Lets Encrypt profile in UFW and am trying to use a bash script to apply rules to allow return path communication and to restart Apache2:

more /etc/letsencrypt/renewal-hooks/pre/ufw-allow-letsencrypt.sh 
#!/bin/bash
systemctl stop apache2
ufw allow letsencrypt

more /etc/letsencrypt/renewal-hooks/post/ufw-delete-letsencrypt.sh 
#!/bin/bash
systemctl start apache2
ufw delete allow letsencrypt

when I certbot renew manually I am getting the following:

 certbot renew --pre-hook "./etc/letsencrypt/renewal-hooks/pre/ufw-allow-letsencrypt.sh" --post-hook "./etc/letsencrypt/renewal-hooks/post/ufw-delete-letsencrypt.sh"
Unable to find pre-hook command ./etc/letsencrypt/renewal-hooks/pre/ufw-allow-letsencrypt.sh in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp6xp0n7c9/log or re-run Certbot with -v for more details.

find /etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks/post
/etc/letsencrypt/renewal-hooks/post/ufw-delete-letsencrypt.sh
/etc/letsencrypt/renewal-hooks/deploy
/etc/letsencrypt/renewal-hooks/pre
/etc/letsencrypt/renewal-hooks/pre/ufw-allow-letsencrypt.sh

certbot --version
certbot 1.21.0

ls -l /etc/letsencrypt/renewal-hooks/pre
total 4
-rwxr-xr-x 1 root root 57 Jul 11 00:22 ufw-allow-letsencrypt.sh

 ls -l /etc/letsencrypt/renewal-hooks/post
total 4
-rwxr-xr-x 1 root root 66 Jul 11 00:23 ufw-delete-letsencrypt.sh

Hi @NullRoute,

I do not believe the . before /etc is correct.
As that is making a relatively path from the current working directory in stead of an absolute path to /etc.

Agree with @Bruce5051 you should remove leading period in that path.

But, did you specify the --pre-hook and --post-hook on the certbot renew just as a test?

Because when you put them in those special folders they get run always

I usually add an echo statement in my hooks to confirm they ran. Something like
echo 'running MikePreHook'

Hello @Bruce5051 thanks for the response, I removed the . before /etc and it worked. Ok I will brush up on that. My understanding when running an executable like a bash script is to put a . in front of the path.

Hello @MikeMcQ thanks for the response.

I added a echo line

more /etc/letsencrypt/renewal-hooks/pre/ufw-allow-letsencrypt.sh 
#!/bin/bash
echo 'Running UFW allow pre'
systemctl stop apache2
ufw allow letsencrypt

more /etc/letsencrypt/renewal-hooks/post/ufw-delete-letsencrypt.sh 
#!/bin/bash
echo 'Running UFW delete post'
systemctl start apache2

I am running an ubuntu system - I should see it in /var/log/syslog ?

Hi @NullRoute,

I found this on Absolute and relative paths

No. You'd have to use something like logger instead of echo for that.

echo would display when running interactively. It also appears in the Certbot logs. I use that format when debugging hook problems just to confirm it is or is not running.

Thank you both @MikeMcQ and @Bruce5051 !

You are welcome @NullRoute.
have a pleasant day.

Only for executables when using relative paths. If an executable is in the PATH environment variable, it's not necessary at all.

That said, you're not directly running the executables. You're only passing the values to Certbot so Certbot can run them using Python functions. So no Bash stuff required.

That said, please note Mikes statement earlier:

Putting the scripts in those folders and providing the hook options on the command line is superfluous.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.