How to copy certificate files in manual-cleanup-hook

aldar · August 20, 2019, 7:03am

I have one server where certbot is installed. And I get standalone certificates from this server, then I copy them to other web servers.
I run certbot with the command:
certbot certonly --manual --preferred-challenges=http --http-01-port 5557 --manual-auth-hook /etc/letsencrypt/example_val.sh --manual-cleanup-hook /etc/letsencrypt/example_clean.sh -d example.com -d example2.com

example_val.sh:
directories=(site1 site2)
ipaddr="192.168.0.20"
for dir in "${directories[@]}"; do
mydir="/var/www/${dir}/.well-known/acme-challenge"
ssh $ipaddr "[[ -d $mydir ]] || mkdir -p "$mydir""
ssh $ipaddr "echo $CERTBOT_VALIDATION > $mydir/$CERTBOT_TOKEN"
done

/etc/letsencrypt/example_clean.sh:
directories=(site1 site2)
ipaddr="192.168.0.20"
for dir in "${directories[@]}"; do
mydir="/var/www/${dir}/.well-known/acme-challenge"
ssh $ipaddr "rm -f $mydir/$CERTBOT_TOKEN"
done
rsync --copy-links -e "ssh -p $port" /etc/letsencrypt/live/example.com/fullchain.pem $ipaddr:/opt/certs/cert.pem
rsync --copy-links -e "ssh -p $port" /etc/letsencrypt/live/example.com/privkey.pem ``$ipaddr:/opt/certs/key.pem
ssh $ipaddr "service apache2 reload"

it gives error:
rsync: change_dir "/etc/letsencrypt/live/example.com" failed: No such file or directory (2)
Of course there is no /etc/letsencrypt/live/example.com directory - certbot shall create it.

_az · August 20, 2019, 7:16am

--manual-cleanup-hook is the wrong place to do this. You should only use it to remove challenge files.

There is a separate hook that is invoked after a certificate is issued and saved to disk. It is a suitable place to put your rsync commands:

  --deploy-hook DEPLOY_HOOK
    Command to be run in a shell once for each
    successfully issued certificate. For this command, the
    shell variable $RENEWED_LINEAGE will point to the
    config live subdirectory (for example,
    "/etc/letsencrypt/live/example.com") containing the
    new certificates and keys; the shell variable
    $RENEWED_DOMAINS will contain a space-delimited list
    of renewed certificate domains (for example,
    "example.com www.example.com" (default: None)

system · September 19, 2019, 7:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.