Return code to renovate and create a new certificate


#1

Hi I will like to see some type of return code on success. to be able to run one script if the certificate is renovated.


#2

Which client are we talking about? Your thread is quite brief…

If you’re talking about certbot, have you seen the documentation about the usage of the different kind of hooks?


#3

Nop, like this:

man ls.

Exit status:
0 if OK,

   1      if minor problems (e.g., cannot access subdirectory),

   2      if serious trouble (e.g., cannot access command-line argument).

#4

I know what an exit status is…

Unfortunately, if you don’t provide any information, we can’t help you with anything… I can’t even point you to a GitHub issue page, as you haven’t told us which client you’re using!!! Or are you expecting us to use some magic or a crystal ball to see what you mean?


#5

Sorry Osiris, I will try explain myself better (my english is bad)

I use letencrypt to renovate my certificates.

letsencrypt renew

The problem is: after of this I propagate my new certificate across my services, like webserver, exim, etc, etc.

Normally I use the exit status to verify if there is a renovation or not. (but the letsencrypt allways exit with 0)

I execute the script every 1 month, I like to execute the propagation only if there is a new certificate to avoid lost of service.

I like the feature of “letsencrypt” has some type of exit codes (documented) to activate the propagation of the new certificate only in this case, not every time that I execute the script…

Now it is clear?.


#6

Yes, it is.

Unfortunately, I have an answer you probably don’t want to hear. Mid 2016, someone already asked for this feature, but it was declined in favor of the “hooks” I mentioned before. In that issue, the reason for “won’t fix” is:

we used --renew-hook instead of exit status because exit status has too many constraints and limitations. For instance, cron will view any return code except 0 as a failure, but (as you’ve noticed) there is more than one type of success that is possible, including “nothing happened” and “a cert was due for renewal and was successfully renewed”.

The fact you’re using letsencrypt as the command makes me thinking you’re using quite an old version of the official client. The client called letsencrypt has been renamed to certbot a while back. I’m not sure if your version has the aformentioned “–renew-hook” option, you can check by running letsencrypt --help renew.
If the hook options aren’t present, you might want to consider updating your client. Are you using Ubuntu 16.04 LTS by any chance? If so, the official documentation for that distro/version has been updated to use a PPA (Personal Package Archives) so users of Ubuntu also can use the most recent version of certbot.


#7

I have the certbot certbot 0.9.3 running on debian 8

Now it is clear to me… I will adapt the script to run the webhook

Thanks a log Osiris


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.