acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

Change hooks on existing domain

Open forresthopkinsa opened this issue 3 years ago • 5 comments

According to the wiki, pre-hook and post-hook are configured when issuing a cert but will continue to function on every renewal:

Those hooks are only accepted by the --issue command, but will be saved and apply to --renew or --cron commands as well. As such it can be a good way to do things (like close and re-open a server, or notify of updates) that need to happen only when issuance is actually attempted.

Is there any way to change (or remove) hooks on a domain after the cert is issued?

forresthopkinsa avatar Feb 11 '22 03:02 forresthopkinsa

Sorry, there is no way to edit the hook yet. you have to issue the cert again.

Neilpang avatar Feb 11 '22 13:02 Neilpang

Understood, thanks

forresthopkinsa avatar Feb 13 '22 04:02 forresthopkinsa

Yes there is a way, in your .acme.sh/certfolder/cert.conf file there is a line (here for a Let's Encrypt domain):

Le_ReloadCmd='__ACME_BASE64__START_bmdpbnggLXQgJiYgc3lzdGVtY3RsIHJlbG9hZCBuZ2lueA==__ACME_BASE64__END_'

In this example, the base64 for bmdpbnggLXQgJiYgc3lzdGVtY3RsIHJlbG9hZCBuZ2lueA== is nginx -t && systemctl reload nginx

Just base64 encode your new command and replace it in that file.

Hope that in the near future there will be an official way to do that...like an integrated script.

solracsf avatar Apr 21 '22 16:04 solracsf

Yes there is a way, in your .acme.sh/certfolder/cert.conf file there is a line (here for a Let's Encrypt domain):

Le_ReloadCmd='__ACME_BASE64__START_bmdpbnggLXQgJiYgc3lzdGVtY3RsIHJlbG9hZCBuZ2lueA==__ACME_BASE64__END_'

In this example, the base64 for bmdpbnggLXQgJiYgc3lzdGVtY3RsIHJlbG9hZCBuZ2lueA== is nginx -t && systemctl reload nginx

Just base64 encode your new command and replace it in that file.

You don't need to convert it to Base64 first as acme.sh will automatically convert it to Base64 after successfully executed. So you can just set it with command/hook that you want to execute.

Not just Le_ReloadCmd, you can also change/set Le_PreHook line for Pre-Hook, Le_PostHook line for Post-Hook or/and Le_RenewHook line for Renew Hook in your acme.sh_dir/domain.com_cert_folder/domain.com.conf file.

There is an example line:

Le_PreHook='echo "Hello World!"'
Le_PostHook='echo "This command is done!"'
Le_RenewHook='/usr/bin/env sh renew.sh'

Above lines are not just for Let's Encrypt user, no matter what CA you use, acme.sh still using those lines for domain configuration. So you can use that line even if you are using another CA.

FarrelF avatar Apr 22 '22 07:04 FarrelF

I tried to modify the PostHook to re-create the /etc/postfix/sni file (and its .db file), so i added postmap -F hash:/etc/postfix/sni in my domain.conf that is now: Le_PostHook='cd /etc/postfix && postmap -F hash:/etc/postfix/sni && systemctl restart apache2 postfix dovecot'

but somehow this does not work. in the log file of acme.sh i noticed that there was an cert update which does not contain the postmap command: [Do 1. Feb 02:24:19 CET 2024] Run post hook:'systemctl restart apache2 dovecot postfix' i dont want to re-do this all the time when an update happens. anyone an idea what could cause that? also, nothing in my .conf is base64 encoded.

edit: thanks to the irc guys in letsencrypt. with acme.sh --info -d mydomain.tld i was able to see the old command and the config that is in use. the config is in /etc/acme... not in ~/.acme.sh/... - i updated now my /etc/acme config and now it works

damnms avatar Mar 02 '24 14:03 damnms