I renewed my certificates always manually and decided now to let certbot handle the renewal.
After the renewal it is necessary to copy all single certificates into a single bundle and restart some services.
I have written a really simple script for this which executes without problems.
But if the script is called from certbot it seems to hang and certbot does not finish.
I executed certbot (version 0.14.1) with:
certbot renew -q --renew-hook /usr/home/idefix/letsencrypt/create-haproxy-ssl-restart-all.sh
If I check the /var/log/letsencrypt/letsencrypt.log it contains:
2017-05-20 07:31:31,714:INFO:certbot.hooks:Running renew-hook command: /usr/home/idefix/letsencrypt/create-haproxy-ssl-restart-all.sh
A ps shows something strange. It seems that the script has somehow gone into state.
root 23538 0.0 0.8 165684 62216 0 I+ 9:29AM 0:12.14 /usr/local/bin/python2.7 /usr/local/bin/certbot renew -q --renew-hook /usr/home/idefix/letsencrypt/create-haproxy-ssl-restart-all.sh root 24943 0.0 0.0 0 0 0 Z+ 9:31AM 0:01.02 <defunct>
I’m not sure that the belongs to the certbot process, but the time matches it (certbot does not log the current time, but maybe UTC to the logfile).
The script itself is really simple (I just replace the default domain with a dummy value):
#!/bin/sh -e
CERTS_DIR=/usr/local/etc/letsencrypt/live
HAPROXY_DIR=/usr/local/etc/haproxy/certs
DEFAULT_DOMAIN=default_domain
DOMAINS=`cd $CERTS_DIR; find . -type d -depth 1 | sed s#\./##`
# Make sure the certificate and private files are never world readable
umask 077
mkdir -p ${HAPROXY_DIR}
rm -Rf ${HAPROXY_DIR}/*
echo "Add standard domain (${DEFAULT_DOMAIN}) in front of keyfile"
cat ${CERTS_DIR}/${DEFAULT_DOMAIN}/fullchain.pem ${CERTS_DIR}/${DEFAULT_DOMAIN}/privkey.pem > ${HAPROXY_DIR}/01-${DEFAULT_DOMAIN}.pem
for DOMAIN in $DOMAINS
do
echo Add key for $DOMAIN
cat ${CERTS_DIR}/${DOMAIN}/fullchain.pem ${CERTS_DIR}/${DOMAIN}/privkey.pem > ${HAPROXY_DIR}/${DOMAIN}.pem
done
chmod -R go-rwx ${HAPROXY_DIR}
echo "Restart haproxy"
killall haproxy; service haproxy restart
echo "Restart postfix"
service postfix restart
echo "Restart dovecot"
service dovecot restart
Has anyone an idea, why this script got a zombie and certbot never finished?
Thanks a lot.
Matthias