Renew_hook in in the /renewal/domain.conf file?

Hello,

I have an executable letsencrypt.sh file containing command line to send the fullchain.pem file by ssh :

root@aaa:~# cat /root/letsencrypt.sh 
sftp -P zzz sftpuser@xxx.xxx.xxx.xxx:letsencrypt <<< $'put /etc/letsencrypt/live/my.domain/fullchain.pem'

If I execute this .sh file root@aaa:~# ./letsencrypt.sh or root@aaa:~# /root/letsencrypt.sh it does the job.

Now I want that script to be executed everytime certbot renew the letsencrypt certificate so I added the following line in the file /etc/letsencrypt/renewal/my.domain.conf :
renew_hook = /root/letsencrypt.sh

Unfortunatly, it doesn't work. When I look at logs just after the renewal of the letsencrypt certificate by certbot, I find :

2023-06-24 21:50:02,334:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/my.domain.conf.new.
2023-06-24 21:50:02,335:INFO:certbot.compat.misc:Running deploy-hook command: /root/letsencrypt.sh
2023-06-24 21:50:02,340:ERROR:certbot.compat.misc:deploy-hook command "/root/letsencrypt.sh" returned error code 2
2023-06-24 21:50:02,340:ERROR:certbot.compat.misc:Error output from deploy-hook command letsencrypt.sh:
/root/letsencrypt.sh: 1: Syntax error: redirection unexpected

Does anyone know why it doesn't work?, what does mean this "Syntax error: redirection unexpected" error?

This stackoverflow answer suggests specifying a shebang line.

I'll try, check if it works for the next renewal which is supposed to happen tonight and let you know if that solve the problem.
I also change
renew_hook = /root/letsencrypt.sh
into
renew_hook = bash /root/letsencrypt.sh

You can test a deploy hook any time like this:

certbot renew --dry-run --run-deploy-hooks

--run-deploy-hooks

When performing a test run using --dry-run or reconfigure, run any applicable deploy hooks. This includes hooks set on the command line, saved in the certificate's renewal configuration file, or present in the renewal-hooks directory. To exclude directory hooks, use --no-directory-hooks. The hook(s) will only be run if the dry run succeeds, and will use the current active certificate, not the temporary test certificate acquired during the dry run.

I find it best practice to always spell out the entire path, like:
/bin/bash

What's the purpose of that put command? My bash doesn't recognise it, I don't have it installed on my Linux and I personally don't know it.

@Osiris, put is an FTP command - used to upload a file [get is used to download]

I dunno guys... I'd simplify it a bit: (requires ssh key access)
Secure copy is easier to wrap your head around than secure ftp. Assuming sftp is not the only means of access.

scp -p -P "$DEST_PORT" /etc/letsencrypt/live/my.domain/fullchain.pem' root@"$DEST_SERVER":/path/to/where/you/want/it/to/go/fullchain.pem
-p = preserve attributes
-P "$DEST_PORT" = replace with your destination port (hopefully not 22) 
root@"$DEST_SERVER" = USER@my.domain

My 2 cents

root@aaa:~# cat /root/letsencrypt.sh

#!/bin/bash
sftp -P zzz sftpuser@xxx.xxx.xxx.xxx:letsencrypt <<< $'put /etc/letsencrypt/live/my.domain/fullchain.pem'

and adding at the end of /etc/letsencrypt/renewal/my.domain.conf the line
post_hook = bash /root/letsencrypt.sh

it works!!!

Next question.

Is it better to write

post_hook = bash /root/letsencrypt.sh
or
renew_hook = bash /root/letsencrypt.sh

I guess I'll write /bin/bash instead of bash indeed to make it best practice then.

Why is scp better than sftp?

For security reason, I limited the use of ssh only to sftp but I don't know if it's a good idea.

post_hook runs on every certbot renew invocation regardless whether or not the certificate was actually renewed. renew_hook runs only when there was a successful renewal.

Just offering an alternative for you. It is your choice to use whatever works and is comfortable for you.

So, to summarize, the solution is

root@aaa:~# cat /root/letsencrypt.sh
#!/bin/bash
sftp -P zzz sftpuser@xxx.xxx.xxx.xxx:letsencrypt <<< $'put /etc/letsencrypt/live/my.domain/fullchain.pem'

and top add the following line in the file /etc/letsencrypt/renewal/my.domain.conf :
renew_hook = bash /root/letsencrypt.sh

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.