Renewal deploy hooks not firing with manual_auth_hook


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.tokus.cc, *.mojo.fyi, *.mojomail.cc

I ran this command:
certbot renew --manual-auth-hook /path/to/hook.sh

It produced this output:
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mojo.fyi-wildcard/fullchain.pem

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-04-18T14:53:04

The operating system my web server runs on is (include version):
Ubuntu 16.04 fully updated

My hosting provider, if applicable, is:
chicagovps

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am using a manual auth hook for performing dns updates for wildcard certificates on Namesilo. The code for that script can be found here. Updates occur as expected, happily, however renewal deploy hooks do not trigger. Am I missing something?


#2

Hi @joshp23

checking your mojomail.cc:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mojomail.cc&lu=cert_search

There are two certificates - 2018-05-21 and 2018-07-20 (six days old). Calling https://mojomail.cc/ this new certificate is used.

So all looks fine.

Your other domains: https://tokus.cc/ has the wrong certificate (only mojo.fyi), https://mojo.fyi/ has a new certificate (2018-06-28).

So the renewal of mojomail.cc looks good.

PS: You have no wildcard. Ok, now I see the problem. You have also two wildcard-certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:mojomail.cc&lu=cert_search

But you want one certificate with two names - *.mojomail.cc and mojomail.cc.

So you can’t use --renew. First, you have to create one certificate with both names, then you can renew it.


#3

I updated the question to reflect that I am only concerned about the wildcard certificates.

I do not care about one certificate with two domains.

The question that I am asking (quoting you quoting me, emphasis added) is


#4

How are you passing the deploy hooks to Certbot? Your original command did not specify one (only an auth hook):

Are you instead using /etc/letsencrypt/renewal-hooks/? Are they executable?

ls -laR /etc/letsencrypt/renewal-hooks

Do your Let’s Encrypt logs (/var/log/letsencrypt/letsencrypt.log) mention the hooks at all?


#5

Yes and OOPS! I had /etc/letsencrypt/renewal-hooks/deploy/deploy.sh and forgot to make it executable! Thanks for that! :crazy_face: <— state of my brain as grad school is finishing up


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.