Re: [gentoo-user] certbot confusion

Sat, 26 Aug 2017 17:31:52 -0700 

On Sat, Aug 26, 2017 at 1:40 AM, Ian Zimmerman <i...@very.loosely.org> wrote:
>
> I don't understand the letsencrypt certbot renewal process, specifically
> the hooks.
>
> I have two certificates: one for webserver, one for mailserver.  I got
> them only very recently so I until now the renewal cronjob has always
> been a no-op, but the real thing will happen very soon.  When it does,
> presumably I need to have both daemons restarted so that they read the
> renewed certificates.  So, how do I do this?  Right now my cronjob is
> just
>
> certbot renew -n --standalone --preferred-challenges tls-sni
>
> which should renew any and all certificates when they're "close" to
> expiring.  But the documentation doesn't say if I can have multiple
> --pre-hook and --post-hook options and what the semantics would be.  The
> closest it comes is:
>
>  When renewing several certificates that have identical pre-hooks, only
>  the first will be executed.
>
> which doesn't make any sense: what does it mean for a certificate to
> "have" a pre-hook?  The pre-hook is just there on the command line,
> there is no association with a particular certificate that a machine
> could infer.
>
> The cop-out solution is to have a single pre-hook and a single
> post-hook, which stop (resp. start) both daemons, but that is ugly.  How
> do people handle this?

I just need to restart apache, so my daily cron job is:

certbot renew --standalone --quiet \
        --pre-hook  'systemctl stop  apache2.service' \
        --post-hook 'systemctl start apache2.service'

With systemd, I just need one command to stop/start/restart several
services. With OpenRC I suppose you could do:

certbot renew --standalone --quiet \
        --pre-hook  '/etc/init.d/apache2 stop && /etc/init.d/postfix stop' \
        --post-hook '/etc/init.d/apache2 start && /etc/init.d/postfix start'

The documentation says that the hooks are "command to be run in a shell",
so it should work.

Another solution is to have a simple script:

# Controls apache and postfix: /usr/local/bin/certbot-aux

if [ $# != 1 ]; then
    echo 'Need a parameter'
    exit 1
fi

/etc/init.d/apache2 ${1}
/etc/init.d/postfix ${1}

And then the cron job is:

certbot renew --standalone --quiet \
        --pre-hook  '/usr/local/bin/certbot-aux stop' \
        --post-hook '/usr/local/bin/certbot-aux start'

Regards.
--
Dr. Canek Peláez Valdés
Profesor de Carrera Asociado C
Departamento de Matemáticas
Facultad de Ciencias
Universidad Nacional Autónoma de México

Reply via email to