On Sun, 23 Jul 2023, Viktor Dukhovni via Postfix-users wrote:
On 23 Jul 2023, at 4:21 pm, Charles Sprickman via Postfix-users
<postfix-users@postfix.org> wrote:
In the case of the dehydrated ACME client
(https://github.com/dehydrated-io/dehydrated) there's an option to run
a bunch of commands on successful update, including something like
"postfix reload" - one could also insert an email or other command to
note the update. I can't imagine other ACME clients don't offer a
similar function...
The "certbot" ACME client offers post-hooks, but they're not "reliable".
If the hook fails or doesn't run, it won't be retried. A robust
"post-hook" should have "at least once" semantics, its implementation
should be idempotent, ait and should be retried until it succeeds.
I cannot imagine why/when the cerbot client would fail to run the post-hooks (in
a sane environment).
They run reliably (in my case, using /etc/letsencrypt/renewal-hooks/deploy/),
and as long as the certbot client itself doesn't crash (or is killed, etc.) I
cannot imagine why it would fail.
Another matter is the actual post-hook script. As long as it's a generic shell
script or such, the program running it (certbot) cannot make any guarantees as
to e.g. idempotency.
IMHO it's advisable to do as much error checking in the post-hook script itself,
rather than relying on certbot for that.
Are you aware of cases where certbot actually failed to (attempt to) run the
hooks?
Thanks.
--
Bernardo
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org