SSL certs renew but OpenVPN start in certbot post-hook fails

certificates renewed automatically but when I access openvpn web UI, I get cert error. I have created pre and post hook script but "post hook script not executing (I think) with certbot renew" and it gives following error (which I have added in output section).

When I run these script manually I can resolve cert error on openvpn web UI. Is there a way to automate renewal process ?

Contents of post-hook script :
#!/bin/bash
sudo /usr/local/openvpn_as/scripts/sacli start

My domain is: my-vpn-domain

I ran this command: certbot renew, certbot renew --dry-run , certbot certificates

It produced this output:
ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86 2 ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86 3 ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86

My web server is (include version): Openvpn 2.11.0

The operating system my web server runs on is (include version): Ubuntu 18:04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is : 1.29.0

I'm not sure this is Certbot related, yet. Does running sudo /usr/local/openvpn_as/scripts/sacli start work without it being ran as a Certbot post-hook?

3 Likes

post-hook script works properly if I run it manually, But It does not work when certbot renew calls pre and post-hook script.

sudo certbot renew --dry-run command gives following errors

Hook 'post-hook' reported error code 1
Hook 'post-hook' ran with error output:
ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86
ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86
ERROR: --sock parameter ('/usr/local/openvpn_as/etc/sock/sagent.localroot', '/usr/local/openvpn_as/etc/sock/sagent') doesn't point to active socket: util/options:501,sagent/sacli:548,sagent/sacli:329,:1,sagent/sagent_entry:62,sagent/sacli:1456,util/options:523,internet/base:1283,internet/base:1292,internet/base:913,util/options:501,sagent/sacli:548,sagent/sacli:329,util/error:105,util/error:86

I don't know how to help diagnose the socket error message.

You might want to try at the OpenVPN forum for help debugging.

Also, since the commands work when run separately, you could try creating your own shell script to run the hooks independently like

pre-hook code / command 
sudo certbot renew
sudo /usr/local/openvpn_as/scripts/sacli start

I added sudo in above example for certbot as you use it in your hook so I presume you are also using it for certbot but just don't show it.

Of course, you will need to remove the hooks from the certbot renewal conf file. Or, just comment out any commands in the certbot hook script (probably easier for a test).

4 Likes

Thanks MikeMcQ

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.