2020-12-04 11:35:31,983:INFO:certbot.hooks:Running post-hook command: env ; /usr/local/bin/copy-certs-mta.sh
2020-12-04 11:35:32,354:INFO:certbot.hooks:Output from env:
LANGUAGE=es_AR:es
JOURNAL_STREAM=9:180581844
COLUMNS=80
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=b33a28737e294c73876e9dd134f1d4ce
LANG=es_AR.UTF-8
PWD=/
It looks as is does not preserve the environment, does it?
LINES=24
2020-12-04 11:35:32,354:ERROR:certbot.hooks:Hook command "env ; /usr/local/bin/copy-certs-mta.sh" returned error code 1
2020-12-04 11:35:32,354:ERROR:certbot.hooks:Error output from env:
root@mx1.silicon-aid.com: Permission denied (publickey).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(235) [sender=3.1.3]
root@mx1.silicon-aid.com: Permission denied (publickey).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(235) [sender=3.1.3]
root@mx1.silicon-aid.com: Permission denied (publickey).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(235) [sender=3.1.3]
For example, JOURNAL_STREAM is injected by systemd as it launches Certbot, and you're seeing it in the hook execution. From that, I would say that the environment is preserved. I do not think that Certbot would strip SSH_AUTH_SOCK, there's no logic like that.
What I suspect instead, is that processes started by systemd timers are outside of the process hierarchy where SSH_AUTH_SOCK is available.
I tried the same thing on my machine (just a simple timer, not Certbot), and indeed there was no SSH_*.
I'm no expert on how this all works, but that seems intuitive to me. Your SSH agent is created by your tty or desktop environment or whatever. Your systemd timers are not descendants of those, so they wouldn't inherit anything from them.
I think you would have to figure out how to:
Start up the ssh-agent -s independently of your tty and run ssh-add etc with your passphrases. Also, importantly, preserve the SSH_AUTH_SOCK=... output and store it somewhere.
In your --deploy-hook, restore the SSH_AUTH_SOCK value before calling rsync.
debug1: read_passphrase: can't open /dev/tty: No such device or address
It should happen something like that:
debug2: sign_and_send_pubkey: using private key "/root/.ssh/id_ecdsa" from agent for certificate
I report here because if I create a systemd unit by hand, timer with rsync and ssh works well (it uses the agent and files are copied), but not with certbot...