Why is post-hook invoked without adding it in command line?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
explorer.harmony.one

I ran this command:

$ ./certbot-auto renew --dry-run

It produced this output:

Requesting to rerun ./certbot-auto with root privileges...

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/explorer.harmony.one.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for explorer.harmony.one

Waiting for verification...

Challenge failed for domain explorer.harmony.one

http-01 challenge for explorer.harmony.one

Cleaning up challenges

Attempting to renew cert (explorer.harmony.one) from /etc/letsencrypt/renewal/explorer.harmony.one.conf produced an unexpected error: Some challenges have failed.. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/explorer.harmony.one/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/explorer.harmony.one/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates above have not been saved.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Running post-hook command: /home/ec2-user/restart-fe.sh

Output from post-hook command restart-fe.sh:

No screen session found.

post-hook command "/home/ec2-user/restart-fe.sh" returned error code 1

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
node express

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Amazon Linux 2.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

0.35.1


Background:

I indeed added --post-hook for the crontab job. But when I run the command manually, it still calls post-hook even if I didn’t specify it.

Probably because when you ran certbot for the first time to get the certificate in the first place, you did include it on the command line. It is saved in the renewal configuration file, as certbot assumes it is necessary for every time you get a certificate. So when you run renew, it uses all the saved information, including the post-hook command.

1 Like

Thanks! It wasn't obvious that a successful run will have side effect to the config file.

I removed the post_hook line in /etc/letsencrypt/renewal/explorer.harmony.one.conf .

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.