mehov
1
Hey everyone
I have a --deploy-hook that was recognized by certbot (see below), but never executed. I checked certbot --help renew and it mentions --disable-hook-validation.
My question is, if said validation fails and the hook does not go through, would that be mentioned in the logs? And if yes, what am I looking for?
Right now, when I search for deploy-hook or just hook in my log, I am only seeing:
INFO:certbot.compat.misc:Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ntpsec
Please help
Notes:
When I say recognized by certbot, I mean I am seeing this at the top of my log file:
DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--standalone', '--http-01-port', '8008', '--allow-subset-of-names', '--deploy-hook', '/usr/bin/chown -R www-data "$RENEWED_LINEAGE" && /usr/bin/chown -R www-data /etc/letsencrypt/archive && /usr/bin/systemctl reload nginx']
certbot version 1.12.0
mehov
2
(A related followup: Will `--deploy-hook` run if `/etc/letsencrypt/renewal-hooks/deploy/ntpsec` exists?. It could be that --deploy-hook doesn't work not because it fails validation but because I have at least one script in /etc/letsencrypt/renewal-hooks/deploy.)
mehov
3
(A quick question related to https://community.letsencrypt.org/t/disable-hook-validation-output-when-failed/229340.)
I pass a --deploy-hook argument to certbot. It is recognized, but does not get executed. In the log, however, I see a mention of /etc/letsencrypt/renewal-hooks/deploy/ntpsec being executed.
lets encrypt - LetsEncrypt certbot multiple renew-hooks - Stack Overflow says:
Note: On newer (early 2023) versions, you cannot use multiple --pre-hook (or others hooks). Each new directive of the same name will overwrite the previous one.
So I wanted to confirm if --deploy-hook is ignored because I have at least one script in /etc/letsencrypt/renewal-hooks/deploy.
Certbot version 1.12.0
Thank you!
Osiris
4
No clue as regard to your original question, but you should not WANT nor should you NEED to make www-data the owner of the files in /etc/letsencrypt/{live,archive}/. The private key should only be able to read by root and not by the unprivileged user the webserver is running as.
3 Likes
MikeMcQ
5
A deploy-hook will not execute if validation failed. It only runs when a cert is issued.
Have you reviewed the Certbot docs? Search the page below for --deploy-hook to better understand how it should work. When testing with --dry-run, which is recommended, you will need to specify extra options to ensure the --deploy-hook runs
https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options
3 Likes
Osiris
6
I'm pretty sure OP doesn't mean validation like hostname validation, but the checks Certbot does (like, is the script executable) before attempting to run the hook.
mehov
7
Yes, the certs for which I expect the hook to run are indeed issued. Sorry, forgot to mention that. It's an important detail.
MikeMcQ
8
Ah, did you try it with --disable-hook-validation?
I think you will just have to experiment on your own. Certbot v1.12 is over 3Y old and makes it difficult for anyone to try to reproduce. I am pretty sure you should be able to have a deploy-hook command line option and also in the deploy hook folder, generally.
When I have problems with hooks I make one doing just "echo In-Hook-ABC". I use --dry-run with the extra needed option to run deploy-hooks.
Even if you identify a problem the Certbot team will want to know whether it fails in a recent version. An actual bug against Certbot is best reported at the EFF's github for it: Issues · certbot/certbot · GitHub
They will want a description of an easy way to reproduce the problem though. Like: I have this in deploy hook folder, I use these options on command line and get this but not that and show entire log.
Getting back to your original specific question ... Set a deploy-hook with an obviously incorrect path and see what shows in the log. Try with and without the "disable" option to see if that matters.
3 Likes
