Setting environmental variables for hooks with cli.ini

I have such setup:

  • /var/apps/deploy.sh script which does something and sends a email notification
  • cli.ini contains renew-hook = /var/apps/deploy.sh

It works OK but there is a small problem: I have to put email addresses into deploy.sh. If only addresses could come from somewhere else I’d put the script into a git repository and use it on all servers without any changes.

The best option would be the same cli.ini since I have to manually set the renew hook there anyways.

As I see it I can set environments variables for hooks in cli.ini like

renew-hook = MY_EMAIL=kaka@shino.bu /var/apps/deploy.sh # Quoting required mby?
disable-hook-validation = True

I tried running the execute() function from certbot/certbot/hooks.py manually with commands like MY_EMAIL=kaka@shino.bu /var/apps/deploy.sh and $MY_EMAIL was set in deploy.sh but it looks ugly to me putting vars into commands. Besides ugliness it breaks some logging logic in execute() because of

def execute(shell_cmd):
    """Run a command.
    :returns: `tuple` (`str` stderr, `str` stdout)"""

    # universal_newlines causes Popen.communicate()
    # to return str objects instead of bytes in Python 3
    cmd = Popen(shell_cmd, shell=True, stdout=PIPE,
                stderr=PIPE, universal_newlines=True)
    out, err = cmd.communicate()
    base_cmd = os.path.basename(shell_cmd.split(None, 1)[0]) # <========= THIS
    if out:
        logger.info('Output from %s:\n%s', base_cmd, out)
    if cmd.returncode != 0:
        logger.error('Hook command "%s" returned error code %d',
                     shell_cmd, cmd.returncode)
    if err:
        logger.error('Error output from %s:\n%s', base_cmd, err)
    return (err, out)

Is there some other way to set environmental variables for hooks in cli.ini? Mby there is some undocumented cli option like --set-hook-env X=Y ?

Hi @dandelionred,

There is a Unix program called env that sets environment variables before executing a particular specified command line. You should be able to use env MY_EMAIL=kaka@shino.bu /var/apps/deploy.sh with the effect that you wanted.

I’m aware of env. There is no significant difference between env MY_EMAIL=kaka@shino.bu /var/apps/deploy.sh and running MY_EMAIL=kaka@shino.bu /var/apps/deploy.sh in shell (which is what execute() does behind the scenes): both put the variable into the hook’s environment. And both strings are ugly as commands and break the logging logic.

Sorry, I was confused about what you were looking for! Unfortunately, I don’t think there are other features in Certbot right now that will be helpful to you this way.

Thanks, I’ll post it into suggestions then.

Hi @dandelionred,

You can create a file like /etc/letsencrypt/myvars and source it from your script.

Cheers,
sahsanu

I want all certbot settings to be in a single place. Like /etc/letsencrypt/cli.ini containing

renew-hook = /var/apps/deploy.sh
hook-env = MY_EMAIL=kaka@shino.bu

Feature request thread: Cli option to set enviromnent variables for hooks

You should open that feature request directly on cerbot’s github site https://github.com/certbot/certbot/issues

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.