[gentoo-user] certbot confusion

[gentoo-user] certbot confusion

[Ian Zimmerman]

I don't understand the letsencrypt certbot renewal process, specifically
the hooks.

I have two certificates: one for webserver, one for mailserver.  I got
them only very recently so I until now the renewal cronjob has always
been a no-op, but the real thing will happen very soon.  When it does,
presumably I need to have both daemons restarted so that they read the
renewed certificates.  So, how do I do this?  Right now my cronjob is
just

certbot renew -n --standalone --preferred-challenges tls-sni

which should renew any and all certificates when they're "close" to
expiring.  But the documentation doesn't say if I can have multiple
--pre-hook and --post-hook options and what the semantics would be.  The
closest it comes is:

 When renewing several certificates that have identical pre-hooks, only
 the first will be executed.

which doesn't make any sense: what does it mean for a certificate to
"have" a pre-hook?  The pre-hook is just there on the command line,
there is no association with a particular certificate that a machine
could infer.

The cop-out solution is to have a single pre-hook and a single
post-hook, which stop (resp. start) both daemons, but that is ugly.  How
do people handle this?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

Re: [gentoo-user] certbot confusion

[Ralph Seichter]

On 26.08.2017 08:40, Ian Zimmerman wrote:

> The cop-out solution is to have a single pre-hook and a single
> post-hook, which stop (resp. start) both daemons, but that is
> ugly. How do people handle this?

I have not used certbot hooks myself, but a glance at the docs shows:

  --pre-hook and --post-hook hooks run before and after every renewal
  attempt. If you want your hook to run only after a successful renewal,
  use --renew-hook [...]

Separate renew hooks seem to be the way to go.

-Ralph

Re: [gentoo-user] certbot confusion

[Canek Peláez Valdés]

[-- Attachment #1: Type: text/plain, Size: 2583 bytes --]

On Sat, Aug 26, 2017 at 1:40 AM, Ian Zimmerman <itz@very.loosely.org> wrote:
>
> I don't understand the letsencrypt certbot renewal process, specifically
> the hooks.
>
> I have two certificates: one for webserver, one for mailserver.  I got
> them only very recently so I until now the renewal cronjob has always
> been a no-op, but the real thing will happen very soon.  When it does,
> presumably I need to have both daemons restarted so that they read the
> renewed certificates.  So, how do I do this?  Right now my cronjob is
> just
>
> certbot renew -n --standalone --preferred-challenges tls-sni
>
> which should renew any and all certificates when they're "close" to
> expiring.  But the documentation doesn't say if I can have multiple
> --pre-hook and --post-hook options and what the semantics would be.  The
> closest it comes is:
>
>  When renewing several certificates that have identical pre-hooks, only
>  the first will be executed.
>
> which doesn't make any sense: what does it mean for a certificate to
> "have" a pre-hook?  The pre-hook is just there on the command line,
> there is no association with a particular certificate that a machine
> could infer.
>
> The cop-out solution is to have a single pre-hook and a single
> post-hook, which stop (resp. start) both daemons, but that is ugly.  How
> do people handle this?

I just need to restart apache, so my daily cron job is:

certbot renew --standalone --quiet \
        --pre-hook  'systemctl stop  apache2.service' \
        --post-hook 'systemctl start apache2.service'

With systemd, I just need one command to stop/start/restart several
services. With OpenRC I suppose you could do:

certbot renew --standalone --quiet \
        --pre-hook  '/etc/init.d/apache2 stop && /etc/init.d/postfix stop' \
        --post-hook '/etc/init.d/apache2 start && /etc/init.d/postfix start'

The documentation says that the hooks are "command to be run in a shell",
so it should work.

Another solution is to have a simple script:

# Controls apache and postfix: /usr/local/bin/certbot-aux

if [ $# != 1 ]; then
    echo 'Need a parameter'
    exit 1
fi

/etc/init.d/apache2 ${1}
/etc/init.d/postfix ${1}

And then the cron job is:

certbot renew --standalone --quiet \
        --pre-hook  '/usr/local/bin/certbot-aux stop' \
        --post-hook '/usr/local/bin/certbot-aux start'

Regards.
--
Dr. Canek Peláez Valdés
Profesor de Carrera Asociado C
Departamento de Matemáticas
Facultad de Ciencias
Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 3336 bytes --]

Re: [gentoo-user] certbot confusion

[J. Roeleveld]

On 27 August 2017 02:30:51 GMT+02:00, "Canek Peláez Valdés" <caneko@gmail.com> wrote:
>On Sat, Aug 26, 2017 at 1:40 AM, Ian Zimmerman <itz@very.loosely.org>
>wrote:
>>
>> I don't understand the letsencrypt certbot renewal process,
>specifically
>> the hooks.
>>
>> I have two certificates: one for webserver, one for mailserver.  I
>got
>> them only very recently so I until now the renewal cronjob has always
>> been a no-op, but the real thing will happen very soon.  When it
>does,
>> presumably I need to have both daemons restarted so that they read
>the
>> renewed certificates.  So, how do I do this?  Right now my cronjob is
>> just
>>
>> certbot renew -n --standalone --preferred-challenges tls-sni
>>
>> which should renew any and all certificates when they're "close" to
>> expiring.  But the documentation doesn't say if I can have multiple
>> --pre-hook and --post-hook options and what the semantics would be. 
>The
>> closest it comes is:
>>
>>  When renewing several certificates that have identical pre-hooks,
>only
>>  the first will be executed.
>>
>> which doesn't make any sense: what does it mean for a certificate to
>> "have" a pre-hook?  The pre-hook is just there on the command line,
>> there is no association with a particular certificate that a machine
>> could infer.
>>
>> The cop-out solution is to have a single pre-hook and a single
>> post-hook, which stop (resp. start) both daemons, but that is ugly. 
>How
>> do people handle this?
>
>I just need to restart apache, so my daily cron job is:
>
>certbot renew --standalone --quiet \
>        --pre-hook  'systemctl stop  apache2.service' \
>        --post-hook 'systemctl start apache2.service'
>
>With systemd, I just need one command to stop/start/restart several
>services. With OpenRC I suppose you could do:
>
>certbot renew --standalone --quiet \
>   --pre-hook  '/etc/init.d/apache2 stop && /etc/init.d/postfix stop' \
>   --post-hook '/etc/init.d/apache2 start && /etc/init.d/postfix start'
>
>The documentation says that the hooks are "command to be run in a
>shell",
>so it should work.
>
>Another solution is to have a simple script:
>
># Controls apache and postfix: /usr/local/bin/certbot-aux
>
>if [ $# != 1 ]; then
>    echo 'Need a parameter'
>    exit 1
>fi
>
>/etc/init.d/apache2 ${1}
>/etc/init.d/postfix ${1}
>
>And then the cron job is:
>
>certbot renew --standalone --quiet \
>        --pre-hook  '/usr/local/bin/certbot-aux stop' \
>        --post-hook '/usr/local/bin/certbot-aux start'
>
>Regards.
>--
>Dr. Canek Peláez Valdés
>Profesor de Carrera Asociado C
>Departamento de Matemáticas
>Facultad de Ciencias
>Universidad Nacional Autónoma de México

Your postfix is dependent on apache?

The same can be easily configured with openrc.

Having both controlled seperately makes more sense to me though.

--
Joost
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.