Permissions for deploy script

I'm trying to set up a deploy script to import a renewed certificate into a Java keystore and seem to be running into permissions issues. The code being run is:


# Convert the private key and certificate to a PKCS12 file
openssl pkcs12 -export -in /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /fullchain.pem -inkey /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /privkey.pem -out /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /pkcs.p12 -name **KEYCLOAK_SSL_ALIAS** -passout pass: **KEYCLOAK_SSL_PASSWORD**

# Remove the old certificate from our keystore
keytool -delete -noprompt -alias **KEYCLOAK_SSL_ALIAS** -keystore /opt/keycloak/current/standalone/configuration/keycloak.jks -storepass **KEYSTORE_PASSWORD**

# Import the new certificate to our keystore
keytool -importkeystore -deststorepass **KEYSTORE_PASSWORD** -destkeypass **KEYCLOAK_SSL_PASSWORD** -destkeystore /opt/keycloak/current/standalone/configuration/keycloak.jks -srckeystore /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /pkcs.p12 -srcstoretype PKCS12 -srcstorepass **KEYCLOAK_SSL_PASSWORD** -alias **KEYCLOAK_SSL_ALIAS**

# Restart Keycloak
systemctl restart keycloak

The file is executable. For testing I have put this in the post folder. If I run
sudo certbot renew --dry-run

I get:
Error output from post-hook command
Importing keystore /etc/letsencrypt/live/ to /opt/keycloak/current/standalone/configuration/keycloak.jks...

But no actual detail.

If I run the script directly with:
sudo ./

it works fine.

This is on Ubuntu 20.04. How should Certbot and this script be set up/installed/permissions applied for the script to run successfully? Many thanks for any pointers.

That's not a certbot issue, but an issue of the commands in your script. The only thing certbot does, is relay the output of the script.

Not sure, maybe keytool requires some specific environment (variables?) not present when ran through certbot?

No there are no variables missing. Would this script be running as root if Certbot is triggering it to run?

If I run it without sudo I get a bunch of permissions issues which would be expected.

It would be running as the same user as certbot.

@soundsessential, you could consider including

set -x

in the script to make bash show all of the full command lines as they're run.

Are the ** things like **KEYCLOAK_SSL_PASSWORD** literally part of the script, or do they represent a redaction on your part of things that you didn't want to share here on the forum? If they're literally in this form in the script, then I wouldn't expect them to work because bash wouldn't have a way of figuring out what each of these values is supposed to be.

Thanks for the replies. I figured it out, this is not actually an error even though it says it is. All’s good!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.