Is it possible persisting hook settings as part of the renewal configuration?


#1

I couldn’t find any information regarding this and a quick review of the code seems to indicate that ‘hooks’ are only available as part of the CLI arguments, and they are not persisted as renewal configuration.

For certain types of automated renewal it would be a good idea having that level of granularity (as opposed to set the configuration at the client level).


#2

I don’t understand exactly what you’re after, sorry. Maybe just me, could you provide a bit more detail, or example please ? Are you meaning in the ACME standard, or for a particular client …


#3

Apologies, I just realised this forum has a wider concern even if I got here from certbot). Allow me to explain better below.

My question:
With certbot-auto (which announces itself via --version as letsencrypt 0.6.0), is it possible to specify an equivalent for --renew-hook at a config level instead of as part of the command line invocation?

My use case:
I am trying to setup a system in which I can only use the webroot authenticator. The generation and renewal of the certificates works correctly, system is up, no issues there. Now my goal is to automate the renewal step so that, once the certificates are in place, the corresponding service gets restarted. I can easily do that by adding the --renew-hook parameter in the command line, but I was hoping for more specificity (as there is persisted renewal configuration per domain in the form of renewal/<FQDN>.conf files), so that the hook will get executed only if the specific domain is affected.

Thanks in advance.


#4

That’s helped me understand, thanks. I was hoping someone else would respond who knew more about certbot though, as I don’t use it - I use an alternate client. perhaps @pfg can help ?


#5

The code doesn’t have “store_true” explicitly stated, so perhaps that’s the reason. But I don’t know the default value certbot uses, as many variables have “store_true”, but also " store_false" stated…


#6

Update: As of certbot 0.10.0, the information in this post is out of date.

I don’t think it’s possible to specify --renew-hook in the .conf files located in /etc/letsencrypt/renewal, based on a quick test.

The idea behind --renew-hook is that you get a shell variable called $RENEWED_DOMAINS containing a list of renewed domains. If you need some kind of specificity (i.e. a.example.com restarts service A, b.example.com restarts service B), the recommended approach would probably to check that variable and act based on that.

Full description of --renew-hook for your reference:

--renew-hook RENEW_HOOK
                    Command to be run in a shell once for each
                    successfully renewed certificate.For this command, the
                    shell variable $RENEWED_LINEAGE will point to
                    theconfig live subdirectory containing the new certs
                    and keys; the shell variable $RENEWED_DOMAINS will
                    contain a space-delimited list of renewed cert domains
                    (default: None)

#7

great thanks! I’ll use that approach then and create a wrapper script to managed the renewal post actions.


#8

So when people want to renew their certificate wíth a --renew-hook, they’ll need to specify it on the CLI?


#9

Yes.

To be fully accurate, they could also pass a config file via -c cli.ini and have a renew-hook = /path/to/hook.sh in there, but there’s probably not much of a point in doing that, given that you typically won’t need any other configuration for renew and it’s not really a whole lot shorter that way.


#10

I’m using the packaged version of certbot in debian backports, and it already come with a cron entry. So the only option to specify the hool is to edit the default cron entry and add the renew hook (or completely disable that cron entry and add another one).

This doesn’t look like a very good thing, because a future cetboot update may need to edit the default cron entry (as last update did). Updating certbot should be a simple apt-get upgrade IMHO, if not the process is more error prone than needed (one may forget to re-edit the cron line, even if the package manager point this out).

Am I missing some obvious way to specify the renew hook editing only configuration files?


#11

You can put the hook commands into the default config file /etc/letsencrypt/cli.ini. Example:

post-hook /usr/local/sbin/letsencrypt-posthook
renew-hook /usr/local/sbin/letsencrypt-renewhook

I think you can use every command line argument as option in the config file, but I’m not sure for this. At least, you can put the following things in that config file (I’ve tested them):

rsa-key-size = 4096
email = youremail@domain
authenticator = webroot
webroot-path = /var/www/letsencrypt/

If you use /etc/letsencrypt/cli.ini as config file, you do not have to specify it as command line argument (-c cli.ini), since this path is automatically searched by default!


#12

UPDATE: My bad, guys, i should’ve check the date before posting.

Why would you say something what is complete nonsense? Of course you can specify --renew-hook in the /etc/letsencrypt/renewal/domain.tld.conf file. Simply add the line renew_hook = "your command; another command" and you’re good to go.


#13

Supplying renew_hook in a renewal configuration file was not supported until this commit, or about half a year after this topic was created.


#14

Burn :stuck_out_tongue:


#15

Which version of certbot does that commit first appear in?


#16

v0.10.0