Value of $RENEWED_LINEAGE

elg0ch0 · March 21, 2024, 9:39pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

certbot renew
--dns-cloudflare
--dns-cloudflare-credentials $CREDS_PATH
--dns-cloudflare-propagation-seconds 120
--deploy-hook $MYHOOK.sh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.5.0

What's the value contained in $RENEWED_LINEAGE when multiple certs are renewed at the same time?
From User Guide — Certbot 2.10.0.dev0 documentation I know that:

the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, "example.com www.example.com") (default: None)

what if certbot renewed example.com and example.net?

$RENEWED_DOMAINS = "example.com example.net"

what about $RENEWED_LINEAGE?

MikeMcQ · March 21, 2024, 9:47pm

The deploy-hook is run once for each cert. From the docs (emphasis mine):

--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each successfully issued certificate.

So the lineage is where that cert is and the domains is the list within that cert.

Does that help?

rg305 · March 21, 2024, 9:55pm

Hi @elg0ch0, and welcome to the LE community forum

Why add all that [unnecessary stuff] to a simple cert renewal?:

Instead of just:
certbot renew

Are you trying to include a hook that wasn't there during the last issuance?
What is your actual goal here?

elg0ch0 · March 22, 2024, 3:51am

Thanks @MikeMcQ, I missed that one!

elg0ch0 · March 22, 2024, 3:52am

Aren't all of them necessary?
Well I guess they don't hurt

rg305 · March 22, 2024, 4:14am

Only initially.
Not on renewals.

See: User Guide — Certbot 2.10.0.dev0 documentation (eff-certbot.readthedocs.io)

rg305 · March 22, 2024, 4:18am

And so I repeat my question:

[I still don't know what you are trying to but are unable to do]

MikeMcQ · March 22, 2024, 12:40pm

They might. The certbot renew command acts on all the renewal conf files in /etc/letsencrypt/renewal folder (one at a time).

Any options on the renew command override the ones in every renewal conf file. If they are all the same options then, sure, no problem just unnecessary.

But if you used some other method for other certs then those renewals will fail or your renewal conf will be updated with options differently than intended. What happens depends on the exact combination of options in the renewal conf and the renew command line.

In short, it is bad practice to do that.

elg0ch0 · March 22, 2024, 12:58pm

Got it!

Thanks a lot!

elg0ch0 · March 22, 2024, 1:07pm

Thanks for your help

Thanks @rg305 , I was trying to understand what's the value of $RENEWED_LINEAGE when different domains were renewed

It's clear now (and I will remove the unnecessary parameters)

system · April 21, 2024, 1:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.