Is there a certbot renew option for printing only errors and renewals?


#1

Debians default is to run certbot renew -q, which should only output errors. I would like to receive a mail (i.e. cron mails when there is any output), for errors AND for successful renewals.

At the moment i just removed the -q option, but so i get a e-mail for “nothing happened” as well.


#2

Hello @allo,

Sorry for the delay but I missed this post ;).

As far as I know there is no option to show the errors and ONLY the output on renewals, but it should be a good option to add in future releases.

I’ve the same issue and a workaround that I’m using is to use the --renew-hook option, inside this option use echo to print the message you need for every successful renewal and redirect the output of this echo command to stderr.

Something like this:

certbot-auto renew --quiet --renew-hook 'echo "\nI have renewed the cert located on ${RENEWED_LINEAGE} and this cert contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook 'service apache2 reload'

1.- You should change certbot-auto by certbot or whatever is the name of certbot client on your machine.
2.- Variable ${RENEWED_LINEAGE} will point to the config live subdirectory containing the new certs and keys.
3.- Variable ${RENEWED_DOMAINS} will contain a space-delimited list of renewed cert domains.
4.- The trick is redirect stdout to stderr with >&2 on echo command so you will be notified in successful renewals.
5.- You can use --post-hook to reload your services, in this example I’m reloading apache so change it to fit your needs.

The mail that you will receive will have this look:

Error output from None:

I have renewed the cert located on /etc/letsencrypt/live/yourdomain.tld and this cert contains the following domains yourdomain.tld example1.yourdomain.tld example2.yourdomain.tld otherdomain.tld

It is not a pretty output but enough to be informed about the renewed domain and not be spammed by your own cron service every time the certbot renew command is issued ;).

I hope this helps.

Cheers,
sahsanu


#3

That’s a working solution. I think it would be a nice feature to integrate more such options per default (or plugin?), but it will work. And i will need some renew/post-hooks anyway, for reloading different services using the same certificate.


#4

another issue with the letsencrypt renew line with -q removed: There seems to be some kind of race condition

-------------------------------------------------------------
Processing /etc/lCert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
etsencrypt/renewal/domain.tld.conf
-------------------------------------------------------------------------------

#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.