Hello, I am using LE Certificates created and renewed by ISP config for 2 services : coturn and slapd Those 2 are running with users different from root, so that I would like to use hook to copy and chown files after renewal (same process than describe here https://docs.bigbluebutton.org/admin/setup-turn-server.html#generating-tls-certificates) This means, I would like to add few lines to : ispconfig3/server/scripts/letsencrypt_renew_hook.sh I have the possibility to create file : /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh But custom is always dangerous when code evolves. As these hooks, are probably needed by few people, I would propose to change a little bit the logic. Instead of having a custom file "replacing" the normal code, why not having a custom file in "addition to" Thus, I propose following modification: change Code: if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ] ; then . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh && exit 0 || exit 1; fi into Code: if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ] ; then . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh || exit 1; fi e.g. remove 'exit 0' I would also propose to move that line from the beginning of the script to the end. What do you think ?
Another possibility would be to keep code as is, and add at the very end of script : ispconfig3/server/scripts/letsencrypt_renew_hook.sh Code: if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook_add.sh" ] ; then . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook_add.sh; fi
The pre and post hooks already handle this, it would be simple to have the renew hook use the same logic.
Hello, I implement a hook... I thought so ! But, today, there were a renewal and it doesn't work... So I try to see how it went... I want to test my script but "certbot --dry-run renew" don't deploy hook ! Is there a workaround ? Moreover, I found nothing in letsencrypt.log...
How have you set up the hooks? https://www.howtoforge.com/communit...ts-of-errors-in-standalone.79363/#post-379833 How did you determine it does not work? In what way does it not work? Do you mean the log is empty or there is nothing related to this problem?
Hello, I use that new functionnality https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1492 I have a script : /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh Code: if [ $(dpkg-query -W -f='${Status}' slapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then cp /usr/local/ispconfig/interface/ssl/ispserver.crt /etc/ssl/slapd/slapd.crt cp /usr/local/ispconfig/interface/ssl/ispserver.key /etc/ssl/slapd/slapd.key chown -R openldap:openldap /etc/ssl/slapd #sleep 1s service slapd restart fi return 124 cert was renewed because ssl access to my slapd was broken... I found nothing about that in letsencrypt log... and I don't know how to test... letsencrypt.log is saying for today Code: 2021-11-01 03:00:31, 2021-11-01 03:00:31,771:DEBUG:certbot.main:certbot version: 0.40.0 2021-11-01 03:00:31,772:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2021-11-01 03:00:31,772:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn tryPoint#standalone,PluginEntryPoint#webroot) 2021-11-01 03:00:31,780:DEBUG:certbot.log:Root logging level set at 20 2021-11-01 03:00:31,780:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-11-01 03:00:31,797:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fd1df4ccaf0> and i nstaller <certbot.cli._Default object at 0x7fd1df4ccaf0> 2021-11-01 03:00:31,814:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,816:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,826:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,827:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,832:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,833:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,839:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,840:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,846:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,847:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,853:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 03:00:31,855:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 03:00:31,855:DEBUG:certbot.renewal:no renewal failures 2021-11-01 10:43:16,238:DEBUG:certbot.main:certbot version: 0.40.0 2021-11-01 10:43:16,239:DEBUG:certbot.main:Arguments: ['-q'] 2021-11-01 10:43:16,239:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn tryPoint#standalone,PluginEntryPoint#webroot) 2021-11-01 10:43:16,251:DEBUG:certbot.log:Root logging level set at 30 2021-11-01 10:43:16,252:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-11-01 10:43:16,265:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f7d11d3b310> and i nstaller <certbot.cli._Default object at 0x7f7d11d3b310> 2021-11-01 10:43:16,276:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,277:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,281:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,282:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,286:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,286:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,290:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,291:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,295:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,295:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,299:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 10:43:16,300:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 10:43:16,300:DEBUG:certbot.renewal:no renewal failures 2021-11-01 12:35:27,347:DEBUG:certbot.main:certbot version: 0.40.0 2021-11-01 12:35:27,348:DEBUG:certbot.main:Arguments: ['-q'] 2021-11-01 12:35:27,348:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn tryPoint#standalone,PluginEntryPoint#webroot) 2021-11-01 12:35:27,358:DEBUG:certbot.log:Root logging level set at 30 2021-11-01 12:35:27,358:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-11-01 12:35:27,367:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f86c38b0370> and i nstaller <certbot.cli._Default object at 0x7f86c38b0370> 2021-11-01 12:35:27,376:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,377:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,383:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,384:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,388:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,388:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,391:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,392:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,395:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,395:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,398:INFO:certbot.renewal:Cert not yet due for renewal 2021-11-01 12:35:27,399:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-11-01 12:35:27,399:DEBUG:certbot.renewal:no renewal failures
by root -rwxr--r-- 1 root root 346 Sep 29 08:29 /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
My question now is may be a wrong understanding of that hook... I have a multiserver setup. the server I am focusing on, is not the one with web interface... If I look in /etc/letsencrypt/renewal/myserver.dom.fr.conf, I don't see "renew_hook = letsencrypt_renew_hook.sh" as I can see it in web interface server related letsencrypt file So I need to add it ! do you know how I can run certbot --dry-run renew including hook ?
The only way I know for you to achieve that is you have to carefully add it in the renewal conf file for the intended domain, not in the dry run command, but this is not advised in ISPConfig.
I include Code: renew_hook=letsencrypt_renew_hook.sh in conf file except on ispc web interface server I also sym link sh script in /usr/local
Have yoiu found documentation on how to use this https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1492 new functionality?
Create a bash script /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh and have it do whatever local stuff needs done. If that script exits status 124 (ie. "exit 124" in the script), the standard renewal hooks that ispconfig provides will continue to run; if it has any other exit status, ispconfig's renewal hooks will be skipped.
Whether the ISPConfig server is web server or otherwise not, that server still should be able to obtain LE SSL certs via install or upgrade, at least that was the intended behavior when it was designed. The hook is there by default. So I am not sure what are you trying to do actually especially in your #12 post. Please clarify what is your problem again.
Sorry, for answering late, and beeing not very clear. First, I use the famous new functionnality : it was created following my above #2 post. That's a great functionnality thanks a lot Second, the difficulty I face is this specific case : - server is not web interface server - I don't upgrade ispconfig for more than 6 months After 6 month, certbot renew my LE cert for my server but it doesn't run my script which is : /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh with exits status 124 Investigating, I saw that in /etc/letsencrypt/renewal/myserver.dom.fr.conf, there is no line "renew_hook = letsencrypt_renew_hook.sh" in this server, but, this line exist in all other servers... so that, finally I add a line in file /etc/letsencrypt/renewal/myserver.dom.fr.conf, "renew_hook = letsencrypt_renew_hook.sh" and hope it will solve this issue ! Don't know why this line was missing (my mistake at one time ?) In post #12, I mention that I don't know how to check that hook, because dry run doesn't run hook... Thanks a lot for the interest you show to help me
