I have a machine that I dedicated it as (I call it) "certbot server," and this certbot server has a sole task to generate letsencrypt certs and distribute them to the other web servers that need the certificates.
/snap/bin/certbot --manual certonly --preferred-challenges dns --csr /home/fathir/cethul-rpx/cethul-wildcard-01.csr --manual-auth-hook /home/fathir/auth-hook-wpmu-rpx.sh --manual-cleanup-hook /home/fathir/cleanup-hook-cethul-rpx-wildcard01.sh
The auth-hook-wpmu-rpx.sh
has a task to update my DNS, and the cleanup-hook-cethul-rpx-wildcard01.sh
has a job to update my web servers' certificate.
Both scripts work well when I run it in --dry-run
mode; even though I must simulate the creation of 0000_cert.pem
, 0000_chain.pem
, and 0001_chain.pem
, the following script can run nicely.
And then, when I run without --dry-run
, the process stops right after certbot writing cert into the disk. My following script on manual-cleanup-hook didn't get executed like expected.
of course, if I run the script manually after the certbot is complete like this:
/snap/bin/certbot --manual certonly --preferred-challenges dns --csr /home/fathir/cethul-rpx/cethul-wildcard-01.csr --manual-auth-hook /home/fathir/auth-hook-wpmu-rpx.sh ; bash /home/fathir/cleanup-hook-cethul-rpx-wildcard01.sh
These syntaxes fulfilled my intention about how the "certbot server" works as a certs generator.
My question here is, "why the --manual-cleanup-hook not working. What have I done wrong?"
additional information:
my domain is ugm.ac.id https://crt.sh/?q=*.ugm.ac.id&exclude=expired&match=LIKE
my web servers are apache and nginx
My web servers' OS was mostly Linux, varying between Ubuntu, Debian, and Centos, with variety in its release version.
I have root-level access on each server I manage. I distribute the certs via scp.
The certbot version I use is 1.19.0