acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

Deploy hooks not running after renew.

Open easpeagle opened this issue 1 year ago • 10 comments

It looks like deploy hooks aren't running in general after renew. I have a system setup to handle certificates for a bunch of other systems that use either ssh or idrac deploy hooks. So... the workflow to set these up was --issue and then --deploy ...

But... when the cron job processes renewals... no deployment is happening. How do I fix this?

easpeagle avatar Mar 15 '23 16:03 easpeagle

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

github-actions[bot] avatar Mar 15 '23 16:03 github-actions[bot]

I've upgraded to the latest... it always runs an upgrade when invoked. This really is a question for @Neilpang ... is the code MEANT to invoke deploy scripts after successful renew via the default cron job?

easpeagle avatar Mar 15 '23 16:03 easpeagle

I answered that myself... it definitely seems like it should be triggering deploy hooks. I'll grab some debug.

easpeagle avatar Mar 15 '23 18:03 easpeagle

I’m having the same problem. When trying manually I get “oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET”. This is using docker on a Synology NAS.

johndf avatar Mar 20 '23 03:03 johndf

I’m having the same problem. When trying manually I get “oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET”. This is using docker on a Synology NAS.

Sounds like your container is missing the oathtool library... I had to add that one to the container I built for certain deploy hooks.

easpeagle avatar Mar 20 '23 15:03 easpeagle

So... ran this with debug2 ... it goes through... issues the cert... and then just bombs out... no deploy hooks are being run. Is there something I'm missing @Neilpang ?

[Tue Mar 21 16:00:19 UTC 2023] Your cert is in: OMITTED
[Tue Mar 21 16:00:19 UTC 2023] Your cert key is in: OMITTED
[Tue Mar 21 16:00:19 UTC 2023] The intermediate CA cert is in: OMITTED
[Tue Mar 21 16:00:19 UTC 2023] And the full chain certs is there: OMITTED
[Tue Mar 21 16:00:20 UTC 2023] _now='1679414420'
[Tue Mar 21 16:00:20 UTC 2023] _lifetime='86387'
[Tue Mar 21 16:00:20 UTC 2023] _on_issue_success
[Tue Mar 21 16:00:20 UTC 2023] 'OMITTED' does not contain 'dns'
[Tue Mar 21 16:00:20 UTC 2023] Return code: 0

easpeagle avatar Mar 21 '23 18:03 easpeagle

To me it looks like https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L5409-L5428 is missing a Le_DeployHook="$(_readdomainconf Le_DeployHook)" before the if [ "$Le_DeployHook" ]; then so it'll actually deploy in line 5428. In fact Le_DeployHook only appears in 3 lines in the whole script, those ineffectual ones in renew and one in deploy where it's saved to config.

klaasb avatar Dec 29 '23 11:12 klaasb

Yeah, I'm having the same issue now. I can't deploy any certs when they are renewed. :/

dlangille avatar Jan 21 '24 15:01 dlangille

the "Le_DeployHook" is saved in the domain conf, and is reloaded(sourced from the domain conf https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L5361), so, when comes to here https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L5427 , the Le_DeployHook is not empty, and will be executed.

Neilpang avatar Jan 22 '24 03:01 Neilpang

The issue I was having ultimately ended up being when I tried to create/use ECC certs. Deploy hooks wouldn't run. Once I switched back to RSA... no problems were noted.

easpeagle avatar Jan 22 '24 15:01 easpeagle