Edit Certbot hooks (letsencrypt)

0

I have a few websites domains handled by Nginx and I am using Letsencrypt (certbot) to manage certificates. I currently have pre-hooks and post-hooks for every domain :

/etc/init.d/nginx stop
/etc/init.d/nginx start

And I would like to replace them by : 

systemctl nginx stop
systemctl nginx start

Which command should I use ?

To set up certificates for a website I use this command (if it can help):

certbot --installer nginx --authenticator standalone --pre-hook "systemctl stop nginx" --post-hook "/etc/init.d/nginx start"

Thank you !

Antoine

Posted 2019-06-07T14:28:41.453

Reputation: 15

Answers

0

You can find existing renewal configurations and their hooks in this folder:

/etc/letsencrypt/renewal/

Under the [renewalparams] section of the configuration file, the pre-hook is keyed pre_hook, and the post-hook is keyed post_hook. You can change them or create them if they don't exist already.

FWIW, I have a configuration with the nginx installer and the standalone authenticator without any hooks on Certbot 0.31, and the new certificate is deployed without restarting nginx.service at all!

Demonstration:

root@demo [~]# cat /etc/letsencrypt/renewal/demo.deltik.org.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/demo.deltik.org/cert.pem
privkey = /etc/letsencrypt/live/demo.deltik.org/privkey.pem
chain = /etc/letsencrypt/live/demo.deltik.org/chain.pem
fullchain = /etc/letsencrypt/live/demo.deltik.org/fullchain.pem
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/demo.deltik.org

# Options and defaults used in the renewal process
[renewalparams]
installer = nginx
# authenticator = standalone
authenticator = standalone
account = d41d8cd98f00b204e9800998ecf8427e
# pre_hook = systemctl stop nginx.service
# post_hook = systemctl restart nginx.service
server = https://acme-v02.api.letsencrypt.org/directory

root@demo [~]# date
Fri Jun  7 14:42:46 UTC 2019

root@demo [~]# certbot renew          
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.deltik.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/demo.deltik.org/fullchain.pem expires on 2019-08-21 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@demo [~]# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.deltik.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer nginx
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/demo.deltik.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/demo.deltik.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@demo [~]# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-05-23 15:44:40 UTC; 2 weeks 0 days ago
     Docs: man:nginx(8)
  Process: 2789 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 2799 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 2790 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 2811 (nginx)
    Tasks: 5 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ├─ 2811 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─24553 nginx: worker process
           ├─24554 nginx: worker process
           ├─24555 nginx: worker process
           └─24556 nginx: worker process

May 23 15:44:40 demo systemd[1]: Starting A high performance web server and a reverse proxy server...
May 23 15:44:40 demo systemd[1]: Started A high performance web server and a reverse proxy server.

root@demo [~]# openssl s_client -connect demo.deltik.org:443 &1 | openssl x509 -in - -text -noout | grep -A2 'Validity'
        Validity
            Not Before: Jun  7 13:43:35 2019 GMT
            Not After : Sep  5 13:43:35 2019 GMT

Deltik

Posted 2019-06-07T14:28:41.453

Reputation: 16 807

Thanks it worked ! – Antoine – 2019-06-13T10:37:34.173

0

Deltik answer is the solution but I want to sum up things to be more clear.

When you use the nginx installer with certbot you don't need to add hooks because by default the nginx installer will stop and start itself.

If you used hooks you will get error when renewing certificates when certbot will try to execute the post_hook command : it will say that the command failed and this is because Nginx installer have started Nginx on is own. This is also why you have to kill the process manually and restart nginx (this problem is tackled in this topic)

So the solution is to go in /etc/letsencrypt/renewal/ and comment out pre_hook and post_hook lines.

It will work fine then, if not you can renew your certificates one by one by using this command :

certbot --nginx -d yourdomain.com -d www.yourdomain.com

And then try a dry run to simulate renewal :

certbot renew --dry-run

Hope this will be helpful

Antoine

Posted 2019-06-07T14:28:41.453

Reputation: 15

Asked: 2019-06-07T14:28:41.453

Viewed: 357 times

Active: 2019-06-13T10:50:03.407