certbot icon indicating copy to clipboard operation
certbot copied to clipboard
verified publisher icon certbot

[Bug]: A hook script does not execute (manual-auth exists, but is not executable) v2

Open mrAceT opened this issue 7 months ago • 2 comments

OS

AlmaLinux 8 (working on upgrade to 9)

Installation method

snap

Certbot Version

4.0.0

What happened?

I ran this command:

$ /var/lib/snapd/snap/bin/certbot certonly --agree-tos --manual --email [email protected] -d 'yyy.nl,*.yyy.nl' --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook authenticator.sh --manual-cleanup-hook cleanup.sh

result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
authenticator.sh-hook command manual-auth exists, but is not executable.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The last two lines in the log:

certbot.errors.HookCommandNotFound: authenticator.sh-hook command manual-auth exists, but is not executable.
2025-06-05 10:10:29,773:ERROR:certbot._internal.log:authenticator.sh-hook command manual-auth exists, but is not executable.

The .sh script are set with chmod 755 (so the are executable, ref https://github.com/certbot/certbot/issues/9979) The owner of the .sh scritps are root (ant the command at the top is executed as root)

I tested with: sudo -u root sh -c 'CERTBOT_DOMAIN="yyy.nl" CERTBOT_VALIDATION="token" ./authenticator.sh'

This writes out the multi line result I expected (spits some logging, I am assuming that there is no required type of output?)

What is going wrong? Help is appreciated.

Expected behavior

No error ;)

Relevant log output

mrAceT avatar Jun 05 '25 08:06 mrAceT

This looks like a permissions issue on your system. Do have the proper permissions scope to execute these commands?

zoracon avatar Jun 05 '25 21:06 zoracon

  • certbot / snap is owned by root
  • the scripts are owed by root
  • I run certbot as root
  • the .sh files are set to 755

I have now idea how to do this with more permissions?

mrAceT avatar Jun 05 '25 21:06 mrAceT

Figured it out!!

I had to add the full path in front of the auth and cleanup script, it is finaly working now, YAY!

For others breaking their head over this, this is my command:

certbot certonly --non-interactive --agree-tos --manual --email [email protected] -d 'domain.nl,*.domain.nl' --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /snap/bin/authenticator.sh --manual-cleanup-hook /snap/bin/cleanup.sh

mrAceT avatar Sep 02 '25 11:09 mrAceT