Certbot renewals and DANE

pvdv · June 10, 2019, 11:37am

I try to find a way to automate DANE in Bind9 (self-hosted) after obtaining a new SSL certficate. I use Cerbot 0.28.0 from Debian and the Apache plugin. I’ve tried to use a script in the renewal-hooks, the script is executed when a domain is renewed. But I don’t get certbot-environment variables, like the domain name. What would be a good way to do this?

With regards,
Paul van der Vlis

gpatel-fr · June 10, 2019, 11:53am

That’s strange, I can see in the certbot current code (0.35):

os.environ["RENEWED_DOMAINS"] = " ".join(domains)
os.environ["RENEWED_LINEAGE"] = lineage_path
_run_hook("deploy-hook", command)

can you check in your dist-packages directory in the certbot/hooks.py if you don’t have code like this, that should be in def _run_deploy_hook function ?

pvdv · June 10, 2019, 12:01pm

I see this lines in certbot/hooks.py, but I do not see environment variables in my bash script.

What I do now to test is: “printenv | mailto -s test paul@vandervlis.nl”. I get environment variables like LANG and PWD, but no certbot variables.

pvdv · June 10, 2019, 12:04pm

ah, this is in hooks.py:

os.environ["RENEWED_DOMAINS"] = " ".join(domains)
os.environ["RENEWED_LINEAGE"] = lineage_path
logger.info("Running deploy-hook command: %s", command)
_run_hook(command)

So maybe a little different…

gpatel-fr · June 10, 2019, 12:12pm

I don’t think the difference matters, probably the logging has been slightly reshuffled.
However, I have a bad feeling about the code in def execute(…)
I will run a quick check and get back in 10 mns

gpatel-fr · June 10, 2019, 12:38pm

Even after looking at 0.28 code I can’t see why it would not work, unless it’s one of these Debian patches (I’m looking at Letsencrypt 0.28, not the deb)
Does it happen also if you run the renew manually (outside of cron/system) ?

mnordhoff · June 10, 2019, 12:46pm

Those environment variables are only set for deploy hooks (and renew hooks, which are similar to deploy hooks but deprecated). Is it a pre or post hook instead?

pvdv · June 10, 2019, 12:58pm

@gpatel-fr: I would like to have a way how to test hooks manually, but they are not executed then. I test with:
certbot --no-redirect --force-renew -d acrobatiek.nl -d www.acrobatiek.nl

I don’t know another way then to test when an domain needs a new certificate, and that’s done by cron.

pvdv · June 10, 2019, 1:01pm

@mnordhoff My script is in /etc/letsencrypt/renewal-hooks/pre/ Is this depricated? What would be better?

gpatel-fr · June 10, 2019, 1:29pm

I don’t see any way to test hooks except by running a test environment with the staging server. If you use --dry-run, hooks are not called and if you don’t use it certbot will (rightly) refuse to destroy your valid certificates.
BTW, deprecated don’t mean can’t be used. This deprecation of renew hook is not even in the CHANGELOG, and responsible developers are not supposed to announce removal of features immediately. Since Letsencrypt developers have AFAICT no way to monitor renew hooks usage, it would not be wise to remove such a feature without due warning.

gpatel-fr · June 10, 2019, 8:25pm

certbot-auto renew --force-renewal --renew-hook /etc/letsencrypt/renewal-hooks/deploy/myscript

after that, just running
certbot-auto renew --force-renewal
is sufficient as the renewal-hook is saved in the renewal config file.

as said by @mnordhoff if you put your scripts in the pre or post directories they will run automatically but no env variable is set.

army1349 · June 11, 2019, 10:25am

Just a side note:
Because of DNS caching you should publish your TLSA record some time before you start using matching certificate or you can use TLSA 3 1 *, reuse private/public key on renewal and do your own private key rollover from time to time.

pvdv · June 11, 2019, 1:52pm

“–renew-hook” seems to be new. Yes I know I could use certbot-auto, but I prefer Debian packages.

What I have tried is this: “certbot --force-renewal --no-redirect --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/paul2 -d testabc.vandervlis.nl”. This renews the certificate and execute the deploy-hook script. And I have the needed environment variables then!

I guess I have to run “certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/paul2” to get something like this from cron.

When I run such a command, the deploy-hook is added to the renew-configfile. But when I run such a command without it, the deploy-hook is removed from the renew-configfile. So I guess it’s the best to always run the command with the --deploy-hook.

gpatel-fr · June 11, 2019, 2:08pm

Well, time to monitor the forum and mount an industrial action against deprecation of the action then !

that's always the case, the renewal config file registers the parameters for the last command used that is NOT a renewal.

pvdv · June 11, 2019, 2:18pm

Not sure how I want to do this. I guess I want always two TLSA keys. An old one and a new one. When the SSL certificate has to be renewed I remove the old TLSA, and add a new. But not sure, I could also remove the old TLSA after a few days.

pvdv · June 11, 2019, 3:01pm

Is the --deploy-hook deprecated too? How do you know this?

gpatel-fr · June 11, 2019, 3:08pm

Yes I have misinterpreted a bit @mnordhoff’s post. Yet with modern software about every feature is threatened, so it may be only a matter of time :-/

ietf-dane · June 12, 2019, 2:51am

A couple of useful links on DANE key rotation:

https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

And a link to a more general DANE resources page:

pvdv · June 13, 2019, 12:13pm

This works (but I need to type 20 characters otherwise this system does not post)

forthy · June 15, 2019, 9:56am

Keeping the same secret key for a long time is a good idea, see TOFU (trust on first use). HPKP supports TOFU, as well. PFS is supported separately in the protocol.

I use DANE for the pubkeys, not for the certs.