Using --deploy-hook to avoid "cat: /etc/ssl/certs/2e5ac55d.0" error (closed as #140)

[lovelord83]

Hello all,

I'm using last version of bot, actually v0.7.12, and I'm facing this problem everytime certification renewal happens.

As described in #140 I've done sys update/upgrade and update-ca-certificates but none of those solve itself the problem until I manually issue certificate forced renewal with

certbot --force-renewal --preferred-chain "ISRG Root X1" renew

So I'm asking if it is possible to concatenate/pre-pend this command in cronjob using --deploy-hook with a syntax like this (I've read documentation, but it talks about certbot deploy command only, not mention adding multiple commands):

From original

# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -p" --deploy-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -d"

To something like this

# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -p" --deploy-hook "/usr/bin/certbot --force-renewal --preferred-chain "ISRG Root X1" renew; /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d"

or even better like this

# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -p" --deploy-hook "/usr/sbin/update-ca-certificates; /usr/bin/certbot --force-renewal --preferred-chain "ISRG Root X1" renew; /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d"

Is this technically right or is there a method to fully automate the process and avoid this frustrating error?

[jjakob]

You do not want to force renew every time the cronjob runs. I never had that issue or needed to use preferred-chain, so I don't know if this is completely accurate, but I suspect so: you should have to force renew just once with that preferred-chain option, after that every renewal should use the same chain. The script itself only runs certbot when you request a certificate with "-n", you can pass additional parameters to certbot with -L (this was mentioned in #140)

[lovelord83]

Yo jjakob,

I wrote this because this happened for the 2nd time in 180days. Like I've done when first auto-renewal failed, I updated ca-certificates and forced renewal with certbot and it has been solved. So, what I suppose, is that CA expires, no matter what you do (don't know if I'm saying bulls***) because when certbot try to auto-renew certs and the deploy, that still lands to a "cat: /etc/ssl/certs/2e5ac55d.0 error". This is solved when you manually updates ca-certs + force renewal so I supposed it is a good idea to do so just when cert should be renewed, from here my idea to append those operations to deploy hook (that happens only when you really need to renew cert, and not at every crontab run). Do you agree with it? Is this syntax correct or it is not?

[jjakob]

I suppose your 2nd or 3rd method would work. I'm not sure why that even happens though. Can't you make certbot remember the preferred lineage for that cert forever? Maybe you can put it in its config file in /etc/letsencrypt. I'm not sure how you'd do that.

[lovelord83]

Just to be safe I've applied 3rd method, that replicate exactly what I had to do when auto-deploy hangs (after a correct cert renewal from certbot). I suppose this is not a big problem at last, it is a little bit annoying indeed, but if it is solvable just adding few pre-step to deploy, why not doin' so?

[jjakob]

It's not what everyone should be doing, because it force renews the certificate immediately after it's already renewed, it's a workaround and not a fix. It also puts more load on Letsencrypts's servers and uses up more of the account's quota. I might do some research if it's possible to manually set the desired lineage for the cert permanently in certbot. If not, I don't want to work with certbot in the future, I'd sooner rewrite the script with acme.sh (I also need to look if anyone already made something for zimbra with acme.sh)

[online-stuff]

I'm having this issue too and trying to figure out why..

Same error..

It is weird to be because the certificate was renewed automatically, 30 days before expiry, but it doesn't deploy it to the server..

Trying to just 'deploy' it tells me that it is the same certificate, so it doesn't need to deploy..

Trying #3 from @lovelord83..

Otherwise, good work.

The annoying part about Lets Encrypt, for me anyways, is that we have to wait 2-3 months to find out if the troubleshooting changes worked..

[lovelord83]

Just noticed that using my code proposed before

# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -p" --deploy-hook "/usr/sbin/update-ca-certificates; /usr/bin/certbot --force-renewal --preferred-chain "ISRG Root X1" renew; /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d"

there is a problem with double quotes into --deploy-hook because opened double quote is closed on ISRG Root X1 starting double quote, and this is an error. I've tried any kind of double quote escaping, even variable substitution but I can't make it works. I preffered to separate those commands into certbot cronjob dedicating them a more flexyble and reliable approach like this:

# CA automatic renewal
0 0 */15 * * root /usr/sbin/update-ca-certificates; /usr/bin/certbot --force-renewal --preferred-chain "ISRG Root X1" renew >/dev/null 2>&1

# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -p" --deploy-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -d"

Doing so you obtain CA renewal only twice a month (every current month on 15th and 30th at midnight) and certbot default script remains "untouched" so deploy-hook is not called every time (even if it should be executed only if pre-hook has a correct exit status, so @jjakob is not true that it is called every day, because it starts only when deploy starts: if everything works as intended it should be every 60 days...).

I repeat, this is not a solution, this is just a workaround fix, but while we're waiting for a complete acme rewrite or definitive issue solving, is better than nothing.

[Ufo28]

change one string after "# Request our cert" "$le_bin" certonly --preferred-chain "ISRG Root X1" $le_params

[jjakob]

Duplicate of #140