Scope of RENEWED_DOMAINS

Looking for some validation of my understanding how renewals work and how the deploy hook variables are set. This is important as I consider how best to script for renewal actions.

When certbot attempts to renew certificates, it checks all certs that need to be renewed and does so, then sets RENEWED_DOMAINS with a list of those name before executing each cert's deploy hooks, correct? Since each deploy hook will have access to every cert's name in the variable, scripts should include tests for the desired certificate name as not to unnecessarily execute tasks for other, irrelevant certificates?

I believe this thread arrives at an appropriate scripting, but am curious if there's some additional, more current perspective on the matter.

Thanks.

According to the documentation, $RENEWED_DOMAINS only contains the domains for that single certificate the deploy hook is being called about.

You should call different deploy hooks for different certificates. You don't know the certificate name. You can use sed to extract it from $RENEWED_LINEAGE but you don't have it by default.

You do, it's available in the RENEWED_LINEAGE variable.

Edit: You said so already yourself, whoopsie.. Extracting the name shouldn't be that hard.

Yes, it's there but it needs some grep/sed to be usable.

Ah, so $RENEWED_DOMAINS does not contain all names for all certs that were renewed, just CNs/SANs for the certificate for which the deploy hook was called? If so, this helps bring my scripting strategy more into focus.

An extra step, yes, but not that hard:

osiris@erazer ~ $ echo "/etc/letsencrypt/live/foo.bar" | grep -Po "([^\/]+)$"
foo.bar
osiris@erazer ~ $ 

Correct. Only the --pre-hook and --post-hook hooks are "grouped" if multiple certificates call the same hook. E.g., run the pre-hook once, renew all certificates calling that hook, run post-hook once.

yup.

  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)

Eeeeh, I'm not that good. I always forget that syntax.

-pre-hook and -post-hook wrap the entire Certbot process. They are often used to spin-up ancillary services and adjust network routing.

-deploy-hook is run after each successful cert is issued within a Certbot process.

Me too, I just mess around at https://regex101.com/ which is a GREAT site for regexes IMO.

Excellent feedback. I suppose I was reading the docs a couple different ways and, not yet having renewed multiple certs at once, I was getting confused.

Thank you for clearing up my understanding.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.