I installed certbot yesterday on Debian using snapd based on the description Certbot Instructions | Certbot. To install a certificate I use this command:
certbot certonly -n --cert-name dirname --webroot --agree-tos --email firstname.lastname@example.org -d www.mydomain.hu -d mydomain.hu
The certificate is created, it works and I see that some kind of timer is started which automatically renews the certificate 30 days before the expiration date. My question is how to set up to receive an e-mail about the renewal (including its result) to the specified address?
Thanks in advance for the answers!
If you specified an email address, you'll be automatically send expiry emails. But note that you should NOT rely on such emails! Let's Encrypt recommends to renew certificates 30 days before expiry and Certbot should automatically renew the certificate for you at that time.
However, I see you've used the
certonly subcommand without a
--deploy-hook, so after renewal you should manually reload any service using your certificate.
If everything works out, you should not get any expiry email.
You could use the
--deploy-hook to send an email.
Thanks for the answer! I don't really want to receive an e-mail about the expiration date, but about the result of the automatic renewal. In all cases, if it was successful or not. I use the certonly subcommand because I always want to restart the web server myself to make sure it starts.
Thanks for the answer!
As I read in the certbot command line description, --deploy-hook only runs if the renewal was successful: "If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this. "
If I want to be notified of both successful and unsuccessful attempts, isn't --post-hook the right option? Also, what data and how does certbot pass to the --post-hook or --deploy-hook script? E.g. name of renewed certificate, success or failure of renewal, new expiration date, etc.
I haven't experienced any failed renewals - LOL
I guess you are on the right track.
But remember that
certbot normally runs twice a day and usually does nothing.
So, you have to ensure when nothing is even attempted that it doesn't send you an email.
Unfortunately, it will happen to me that it doesn't work out. I run a rental webshop system (kind of like Shopify, but I'm small) and the domains are directed to my server. But sometimes one of my clients leaves me and then they redirect the domain to another place without telling me. Then certbot will not be able to renew the certificate and I want to know about it.
In that case, I would ensure that you use individual certs [if possible]
--allow-subset-of-names to automatically remove all failing names [not recommened]
I'm not familiar with systemd timers, but cron would email you about renewal failures. Don't systemd timers have such a feature?
At one time I just redirected both stdout and stderr for a cron certbot to a file and parsed it myself (also noting the exit code). Just an idea.
I don't recall exact details but I remember the results were fairly easy to identify. I just had to make sure I coded to watch for both expected and unexpected results so something wasn't lost if certbot changed formats.
Probably not the best way to handle this but it's one way
Well, this could be a good and simple solution, I'll try it. 2-3 domain certificates will expire per day, so machine processing is not necessary, just let me see if there was a problem with one of them. Thanks for the idea!
Yes, each online store has a separate certificate that contains only its own domain(s).