Basically my deploy hook is not running and I can't work out why, only that I've pinned it down to that.
My domain is: nephele.thumbs.place
I ran this command: certbot -renew (well a crontab did)
It produced this output: Don't know, I wans't there, but I have a relevant log file in /var/log/letsencrypt, It's large though, it has lots of content on a renewal, but alas no mention of a deploy hook being run.
My web server is (include version):
$ apache2 -v
Server version: Apache/2.4.25 (Raspbian)
Server built: 2019-04-02T19:05:13
The operating system my web server runs on is (include version):
$ cat /etc/*-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
$ certbot --version
certbot 0.10.2
now the documentation here:
https://certbot.eff.org/docs/using.html#renewing-certificates
states clearly:
If you want your hook to run only after a successful renewal, use --deploy-hook in a command
and
You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands.
And check this out:
$ ll /etc/letsencrypt/renewal-hooks/deploy
total 8
-rwxr-xr-x 1 root root 154 May 2 06:26 ncp
-rwxr-xr-x 2 cirrus cirrus 2663 Jun 16 2018 publish_ssl_certificates_nephele.thumbs.place
But every time my cert renews (which it does successfully ever 90 days) no problems there, this script publish_ssl_certificates_nephele.thumbs.place fails to run, but if I log on and run it manually all comes good.
For what it's worth, all this scrip does is publish the certifcates to my gateway which is an OpenWRT router running lightttpd which (sadly) can forward pretty much anything as needed to LAN servers behind it, but no SSL handshakes and it wants to have the SSL certs itself.
The problem is categorically NOT in that script. It is executable. It is in the folder the docs ask me to put it in. Renewals happen reliablly, but this script is not run. Running manually works fine. I can use this to test it:
https://www.ssllabs.com/ssltest/analyze.html?d=nephele.thumbs.place&latest
and basically this is my nextcloudpi server and when my nextcloud clients start griping that the cert is expired I can check that link and yep they are expired, I can ssh to the server and the certs are there and valid and not expired. I can run that script and check the URL above again and all is good.
Basically the script is not being run. But why not? It's executable and in the folder the docs ask me to put it in. I expected to find some clue in the log file, but the end of a renewal log looks like:
2019-04-09 14:53:25,158:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/nephele.thumbs.place/privkey6.pem.
2019-04-09 14:53:25,159:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/nephele.thumbs.place/cert6.pem.
2019-04-09 14:53:25,160:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/nephele.thumbs.place/chain6.pem.
2019-04-09 14:53:25,162:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/nephele.thumbs.place/fullchain6.pem.
2019-04-09 14:53:25,292:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/nephele.thumbs.place.conf.new.
2019-04-09 14:53:25,310:DEBUG:certbot.renewal:no renewal failures
No mention whatsoever of a deploy hook script.
This bamboozles me I admit. It's taken me many 90 day cycles to diagnose it definitively to this.