Post-hook stuck while renew standalone cert


#1

Hi everyone, I have a problem renewing a standalone cert.
I requested a certificate using cert-auto with this syntax and it worked pretty well

./certbot-auto certonly --standalone -d domain1.tld -d domain2.tld -d domain3.tld

Now I’m doing some dry runs to try my renewal cron using this syntax

./certbot-auto renew --pre-hook “killall /usr/sbin/sslh” --post-hook “service sslh start” --dry-run

The problem I have is that certbot-auto seems stuck during the execution of the post-hook command, It stays stucked until I stop it with a CTRL+C which retunes this error on console:

Running post-hook command: service sslh start
^CExiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1274, in renew
hooks.run_saved_post_hooks()
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 153, in run_saved_post_hooks
_run_hook(cmd)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 232, in _run_hook
err, _ = execute(shell_cmd)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 245, in execute
out, err = cmd.communicate()
File “/usr/lib64/python2.7/subprocess.py”, line 479, in communicate
return self._communicate(input)
File “/usr/lib64/python2.7/subprocess.py”, line 1098, in _communicate
stdout, stderr = self._communicate_with_poll(input)
File “/usr/lib64/python2.7/subprocess.py”, line 1152, in _communicate_with_poll
ready = poller.poll()
KeyboardInterrupt
Please see the logfiles in /var/log/letsencrypt for more details.

Checking /var/log/letsencrypt I have this exception

2019-02-14 19:06:34,600:DEBUG:certbot.updater:Skipping updaters in dry-run mode.
2019-02-14 19:06:34,601:DEBUG:certbot.renewal:no renewal failures
2019-02-14 19:06:34,601:INFO:certbot.hooks:Running post-hook command: service sslh start
2019-02-14 19:06:43,001:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1274, in renew
hooks.run_saved_post_hooks()
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 153, in run_saved_post_hooks
_run_hook(cmd)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 232, in _run_hook
err, _ = execute(shell_cmd)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/hooks.py”, line 245, in execute
out, err = cmd.communicate()
File “/usr/lib64/python2.7/subprocess.py”, line 479, in communicate
return self._communicate(input)
File “/usr/lib64/python2.7/subprocess.py”, line 1098, in _communicate
stdout, stderr = self._communicate_with_poll(input)
File “/usr/lib64/python2.7/subprocess.py”, line 1152, in _communicate_with_poll
ready = poller.poll()
KeyboardInterrupt

Do you have any idea why it stucks in this way?
Maybe the exit status from the post-hook command? I checked it and it always returns zero.
I checked processes and despite the post-hook execution stuck sslh is normally started by the post-hook command and normally killed by the pre-hook command.

OS: CentOS 6.10 x64
Certbot 0.31.0
sslh (ssl/ssh multiplexer) listening on port 80
Apache listening on port 8080(http) and 443 (https)

Thanks for any help


#2

Seems a little weird to use killall in the pre-hook and then /sbin/service in the post-hook. Have you tried using /sbin/service to stop the service as well?


#3

Okay. I tried running sslh (with great trouble, the package in CentOS 6 EPEL ships a config that segfaults and the init script is misconfigured … great).

I think the problem with Certbot is this bug: https://github.com/certbot/certbot/issues/5424

The workaround is in /etc/init.d/sslh, change:

"$SSLH" "${DAEMON_OPTS}"

to

"$SSLH" "${DAEMON_OPTS}" > /dev/null 2>&1

I think the init script keeping stderr open causes Certbot to hang.


#4

I noticed than also on the shutdown the sslh init script is a bit strange, and sometimes it doesn’t close all the processes, so I switched to killall.

Works perfectly now, thank you very much :grinning:


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.