Certificate config contains old renewal hook values

Help
1

I've been debugging some renewal hook scripts in /etc/letsencrypt/rewnal-hooks that were getting stuck when executed by Certbot:

$sudo certbot renew --dry-run --run-deploy-hooks
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[example.com].conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for [example.com]
Hook 'deploy-hook' ran with output:
 {
 	"success": "Certificate deleted."
 }
 {
 	"success": "Certificate chain uploaded."
 }
^CExiting due to user request.

Looking at the logs, it turns out the hangups were caused by some old code of mine from an earlier versions of a script that must have been executed after the current script.

I traced the code to the certificate-specific configuration file inside /etc/letsencrypt/renewal. The config contained entries for all three renewal hooks with values corresponding to an old set of scripts.

After manually removing the renewal hook entries in the config file, they haven't appeared again, and I haven't been able to reproduce the issue.

I'm wondering if there's any information available on:

  1. How the hooks might have ended up inside the config file.

  2. How Certbot handles CLI option hooks, hook files, and hook entries in the certificate-specific config files when all are present.

2

If you set deploy-hook in /etc/letsencrypt/cli.ini (or set --deploy-hook on the CLI) , that would add renewal hook entries to the renewal .conf files.

I can't think of any other ways at the moment.

3 Likes
3

I've checked the .conf file after another dry run with a --deploy-hook value, but it doesn't have any hook entires. Does it need to be a live renewal to update the .conf?

I don't have a cli.ini.

4

Yes, only two operations will update .conf files:

  • Live certificate issuances (e.g. renewals) via certbot [run] or certbot certonly or certbot renew
  • certbot reconfigure
3 Likes
5

That's strange. I haven't performed either of those operations since originally acquiring my certificates. I've only run certbot renew, dry and live.

6

Sorry, renew as well, of course.

4 Likes
7

Thanks, that must be it then. I appreciate the help.

2 Likes
8

What's still interesting to me is that Certbot appears to execute the code found in the .conf file subsequent to the code in /etc/letsencrypt/renewal-hooks, at least on dry runs, while it overrides the .config file code with any CLI options:

$ sudo cat /etc/letsencrypt/renewal/example.com.conf | grep pre_hook -A 3
pre_hook = echo config pre_hook
post_hook = echo config post_hook
renew_hook = echo config renew_hook
$ sudo cat /etc/letsencrypt/renewal-hooks/pre/pre.sh
echo pre file
$ sudo cat /etc/letsencrypt/renewal-hooks/post/post.sh
echo post file
$ sudo cat /etc/letsencrypt/renewal-hooks/deploy/deploy.sh
echo deploy file

$ sudo certbot renew --dry-run --run-deploy-hooks
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'pre-hook' ran with output:
 pre file
Hook 'pre-hook' ran with output:
 config pre_hook
Simulating renewal of an existing certificate for example.com
Hook 'deploy-hook' ran with output:
 deploy file
Hook 'deploy-hook' ran with output:
 config renew_hook

$ sudo certbot renew --dry-run --run-deploy-hooks --pre-hook "echo pre cli" --post-hook "echo post cli" --deploy-hook "echo deploy cli"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'pre-hook' ran with output:
 pre file
Hook 'pre-hook' ran with output:
 pre cli
Simulating renewal of an existing certificate for example.com
Hook 'deploy-hook' ran with output:
 deploy file
Hook 'deploy-hook' ran with output:
 deploy cli

Is that the intended behavior?

9

On reading the documentation again, it does indeed appear to be the intended behavior:

Hooks specified in the command line, configuration file, or renewal configuration files are run as usual after running all hooks in these directories.

My apologies.

3 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.