Bug#920895: certbot: post-hook command: service apache2 stop

[Xavier Bestel]

FWIW the complete config file:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/awak.mobi
cert = /etc/letsencrypt/live/awak.mobi/cert.pem
privkey = /etc/letsencrypt/live/awak.mobi/privkey.pem
chain = /etc/letsencrypt/live/awak.mobi/chain.pem
fullchain = /etc/letsencrypt/live/awak.mobi/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = apache
account = [not shown]
post_hook = service apache2 stop
pre_hook = service apache2 stop

Bug#920895: certbot: post-hook command: service apache2 stop

[Xavier Bestel]

Hi Harlan,

/etc/letsencrypt/renewal-hooks subdirs are empty.
The post-hook looks effectively wrong:

[root@awak:~]$ ls -R /etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks:
deploy/  post/  pre/

/etc/letsencrypt/renewal-hooks/deploy:

/etc/letsencrypt/renewal-hooks/post:

/etc/letsencrypt/renewal-hooks/pre:
[root@awak:~]$ grep hook /etc/letsencrypt/renewal/awak.mobi.conf
post_hook = service apache2 stop
pre_hook = service apache2 stop


I can easily fix the post_hook, but I wonder how it ended up like that.
I never touched that thing.

Xav

Bug#920895: certbot: post-hook command: service apache2 stop

[Harlan Lieberman-Berg]

On Wed, Jan 30, 2019 at 6:24 AM Xavier Bestel  wrote:
> Certbot says it will stop apache after renewing certificates (although 
> apparently it doesn't).

Hello!

Very strange.  What is in your /etc/letsencrypt/renewal-hooks
sub-directories?  Does `grep hook
/etc/letsencrypt/renewal/awak.mobi.conf` return any rows?

Sincerely,
-- 
Harlan Lieberman-Berg
~hlieberman

Bug#920895: certbot: post-hook command: service apache2 stop

[Xavier Bestel]

Package: certbot
Version: 0.28.0-1~bpo9+1
Severity: minor

Hi,

Certbot says it will stop apache after renewing certificates (although 
apparently it doesn't).
Here's the log:

[root@awak:~]$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/awak.mobi.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for awak.mobi
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/awak.mobi/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**  (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/awak.mobi/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**  (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service apache2 stop


Regards,

Xav

-- System Information:
Debian Release: 9.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages certbot depends on:
ii  python3  3.5.3-1
ii  python3-certbot  0.28.0-1~bpo9+1

certbot recommends no packages.

Versions of packages certbot suggests:
ii  python-certbot-doc  0.28.0-1~bpo9+1
ii  python3-certbot-apache  0.28.0-1~bpo9+1
ii  python3-certbot-nginx   0.28.0-1~bpo9+1

-- no debconf information