Hi, I'm running certbot_renewal to renew multiple SSL certificates at the same time. I would like to run a script at the end of the multiple SSL certificated renewal. Should I write my script into the deploy or post hook? I want to run my app only after the last renewed SSL certificate.
Thank you for the help
Marcello
Hi @mgiannoni,
In this case, I think that you will want to use --post-hook:
--post-hook, the hook will only be executed once, after all of the renewal attempts have been made.Please show the command script file:
hi _az , thank you very much for answering my question, this is what I was looking for. Yes my multiple ssl certificates have the same script under /etc/letsencrypt/renewal-hooks/post
Thank you again.
Marcello
Isn't that supposed to be a --deploy-hook? A --post-hook will be run after every attempted renewal, successful or not. A --deploy-hook will only be run after every successful renewal.
It is a cronjob
5 0 * * * sleep $(( RANDOM % 3600 )) && /usr/local/bin/certbot_renew
Yes, good catch. I updated my answer. Thanks.
I just run a test on 11 ssl certificate to renew so I put a script in the deploy and post hoot as follow:
for the deploy hook:
now =$(date)
echo "$now" >> /root/sysmgm/scripts/acme/test/howmanydeploy.txt
for the post hook:
now =$(date)
echo "$now" >> /root/sysmgm/scripts/acme/test/howmanypost.txt
result:
The file hownamnydeploy.txt was written every ssl cert renewal as follow:
Mon Dec 13 00:38:24 PST 2021
Mon Dec 13 00:38:34 PST 2021
Mon Dec 13 00:38:47 PST 2021
Mon Dec 13 00:39:05 PST 2021
Mon Dec 13 00:39:16 PST 2021
Mon Dec 13 00:39:28 PST 2021
Mon Dec 13 00:39:40 PST 2021
Mon Dec 13 00:39:51 PST 2021
Mon Dec 13 00:40:08 PST 2021
Mon Dec 13 00:40:19 PST 2021
Mon Dec 13 00:40:36 PST 2021
The file howmanypost was written only one time:
Mon Dec 13 00:40:41 PST 2021
From the date you can see that the howmaypost was written only once at the end of the all multiple ssl renewal.
I deduct that the post-hook script is called only once at the end of the renewal process..
Thanks
Marcello
I repeat myself:
Your post implies that you only want to run your script once (after all renewals have been processed).
But the question is:
Do you want to only run when a cert has been renewed OR do you always want it to run after each renewal check?
But wouldn't it do that once always (no matter if any certs were renewed or not)?
I do want to run my script only when a cert or multiple certs is/are renewed.
Last request:
Hence why _az said:
Does your renewal script have --force-renewal in it? If so, that's very bad and needs to be fixed by removing that parameter.
That presumes the use of certbot renew.
The shown use is certbot_renewal.
yes you are correct the exact command I'm using is : certbot renew!
In the previous post I didn't realize that I posted an ansible wrapper for the same command, my ansible certbot_renew (not certbot_renewal this was a typo) contains the following code:
#!/bin/bash
PATH =/sbin:/bin:/usr/sbin:/usr/bin
web_srv_proc =$(lsof -i:80 | tail -1 | awk '{ print $1 }')
firewall-cmd -q --zone=public --add-port=80/tcp
if [ ! -z "${web_srv_proc}" ] ; then
certbot renew --quiet --pre-hook "systemctl stop ${web_srv_proc}" --post-hook "systemctl start ${web_srv_proc}"
else
certbot renew --quiet
fi
firewall-cmd -q --zone=public --remove-port=80/tcp
But wouldn't it do that once always (no matter if any certs were renewed or not)?
Yes in my case I can run it once always that will work, no matter if any certs were renewed or not.
You can probably replace those with just:
--post-hook "systemctl reload ${web_srv_proc}"
And you can probably replace that with:
--deploy-hook "systemctl reload ${web_srv_proc}"
And you can probably replace the 11 calls to it:
With one single call.
[certbot will try to renew all the certs that it manages within each call]
But, as always, test test test [first].
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.