Hook evolution for Ispconfig LE renewal

Discussion in 'Developers' Forum' started by francoisPE, Jun 25, 2021.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    I am using LE Certificates created and renewed by ISP config for 2 services : coturn and slapd

    Those 2 are running with users different from root, so that I would like to use hook to copy and chown files after renewal (same process than describe here https://docs.bigbluebutton.org/admin/setup-turn-server.html#generating-tls-certificates)

    This means, I would like to add few lines to : ispconfig3/server/scripts/letsencrypt_renew_hook.sh
    I have the possibility to create file : /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
    But custom is always dangerous when code evolves.
    As these hooks, are probably needed by few people, I would propose to change a little bit the logic.

    Instead of having a custom file "replacing" the normal code, why not having a custom file in "addition to"

    Thus, I propose following modification:
    change
    Code:
    if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ] ; then
    . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh && exit 0 || exit 1;
    fi
    
    into
    Code:
    if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ] ; then
    . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh || exit 1;
    fi
    
    e.g. remove 'exit 0'

    I would also propose to move that line from the beginning of the script to the end.

    What do you think ?
     
  2. francoisPE

    francoisPE Member HowtoForge Supporter

    Another possibility would be to keep code as is, and add at the very end of script : ispconfig3/server/scripts/letsencrypt_renew_hook.sh
    Code:
    if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook_add.sh" ] ; then
    . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook_add.sh;
    fi
    
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The pre and post hooks already handle this, it would be simple to have the renew hook use the same logic.
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Not really. It is just a script. The ones that you should worry are templates.

    Good improvement.
     
  6. francoisPE

    francoisPE Member HowtoForge Supporter

    @Jesse Norell Many thanks !
    You know Lucky Luke ? Are you same family ;):)
     
  7. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    I implement a hook... I thought so !
    But, today, there were a renewal and it doesn't work...
    So I try to see how it went...
    I want to test my script but "certbot --dry-run renew" don't deploy hook !
    Is there a workaround ?

    Moreover, I found nothing in letsencrypt.log...
     
    Last edited: Nov 1, 2021
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  9. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    I use that new functionnality
    https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1492
    I have a script :
    /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
    Code:
    if [ $(dpkg-query -W -f='${Status}' slapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then
      cp /usr/local/ispconfig/interface/ssl/ispserver.crt /etc/ssl/slapd/slapd.crt
      cp /usr/local/ispconfig/interface/ssl/ispserver.key /etc/ssl/slapd/slapd.key
      chown -R openldap:openldap /etc/ssl/slapd
      #sleep 1s
      service slapd restart
    fi
    return 124
    
    cert was renewed because ssl access to my slapd was broken...
    I found nothing about that in letsencrypt log...
    and I don't know how to test...

    letsencrypt.log is saying for today
    Code:
    2021-11-01 03:00:31,
    2021-11-01 03:00:31,771:DEBUG:certbot.main:certbot version: 0.40.0
    2021-11-01 03:00:31,772:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2021-11-01 03:00:31,772:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn
    tryPoint#standalone,PluginEntryPoint#webroot)
    2021-11-01 03:00:31,780:DEBUG:certbot.log:Root logging level set at 20
    2021-11-01 03:00:31,780:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-11-01 03:00:31,797:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fd1df4ccaf0> and i
    nstaller <certbot.cli._Default object at 0x7fd1df4ccaf0>
    2021-11-01 03:00:31,814:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,816:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,826:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,827:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,832:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,833:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,839:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,840:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,846:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,847:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,853:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 03:00:31,855:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 03:00:31,855:DEBUG:certbot.renewal:no renewal failures
    2021-11-01 10:43:16,238:DEBUG:certbot.main:certbot version: 0.40.0
    2021-11-01 10:43:16,239:DEBUG:certbot.main:Arguments: ['-q']
    2021-11-01 10:43:16,239:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn
    tryPoint#standalone,PluginEntryPoint#webroot)
    2021-11-01 10:43:16,251:DEBUG:certbot.log:Root logging level set at 30
    2021-11-01 10:43:16,252:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-11-01 10:43:16,265:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f7d11d3b310> and i
    nstaller <certbot.cli._Default object at 0x7f7d11d3b310>
    2021-11-01 10:43:16,276:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,277:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,281:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,282:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,286:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,286:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,290:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,291:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,295:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,295:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,299:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 10:43:16,300:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 10:43:16,300:DEBUG:certbot.renewal:no renewal failures
    2021-11-01 12:35:27,347:DEBUG:certbot.main:certbot version: 0.40.0
    2021-11-01 12:35:27,348:DEBUG:certbot.main:Arguments: ['-q']
    2021-11-01 12:35:27,348:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn
    tryPoint#standalone,PluginEntryPoint#webroot)
    2021-11-01 12:35:27,358:DEBUG:certbot.log:Root logging level set at 30
    2021-11-01 12:35:27,358:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-11-01 12:35:27,367:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f86c38b0370> and i
    nstaller <certbot.cli._Default object at 0x7f86c38b0370>
    2021-11-01 12:35:27,376:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,377:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,383:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,384:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,388:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,388:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,391:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,392:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,395:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,395:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,398:INFO:certbot.renewal:Cert not yet due for renewal
    2021-11-01 12:35:27,399:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-11-01 12:35:27,399:DEBUG:certbot.renewal:no renewal failures
    
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Did you make your script executable?
     
  11. francoisPE

    francoisPE Member HowtoForge Supporter

    by root
    -rwxr--r-- 1 root root 346 Sep 29 08:29 /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
     
  12. francoisPE

    francoisPE Member HowtoForge Supporter

    My question now is may be a wrong understanding of that hook...

    I have a multiserver setup. the server I am focusing on, is not the one with web interface...
    If I look in /etc/letsencrypt/renewal/myserver.dom.fr.conf, I don't see "renew_hook = letsencrypt_renew_hook.sh" as I can see it in web interface server related letsencrypt file

    So I need to add it !
    do you know how I can run certbot --dry-run renew including hook ?
     
    Last edited: Nov 3, 2021
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    The only way I know for you to achieve that is you have to carefully add it in the renewal conf file for the intended domain, not in the dry run command, but this is not advised in ISPConfig.
     
  14. francoisPE

    francoisPE Member HowtoForge Supporter

    I include
    Code:
    renew_hook=letsencrypt_renew_hook.sh
    in conf file except on ispc web interface server
    I also sym link sh script in /usr/local
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Create a bash script /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh and have it do whatever local stuff needs done. If that script exits status 124 (ie. "exit 124" in the script), the standard renewal hooks that ispconfig provides will continue to run; if it has any other exit status, ispconfig's renewal hooks will be skipped.
     
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Whether the ISPConfig server is web server or otherwise not, that server still should be able to obtain LE SSL certs via install or upgrade, at least that was the intended behavior when it was designed. The hook is there by default.

    So I am not sure what are you trying to do actually especially in your #12 post. Please clarify what is your problem again.
     
  18. francoisPE

    francoisPE Member HowtoForge Supporter

    Sorry, for answering late, and beeing not very clear.

    First, I use the famous new functionnality : it was created following my above #2 post.
    That's a great functionnality thanks a lot :)

    Second, the difficulty I face is this specific case :
    - server is not web interface server
    - I don't upgrade ispconfig for more than 6 months
    After 6 month, certbot renew my LE cert for my server but it doesn't run my script which is :
    /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh with exits status 124

    Investigating, I saw that in /etc/letsencrypt/renewal/myserver.dom.fr.conf, there is no line "renew_hook = letsencrypt_renew_hook.sh" in this server, but, this line exist in all other servers...

    so that, finally I add a line in file /etc/letsencrypt/renewal/myserver.dom.fr.conf,
    "renew_hook = letsencrypt_renew_hook.sh"
    and hope it will solve this issue !
    Don't know why this line was missing (my mistake at one time ?)

    In post #12, I mention that I don't know how to check that hook, because dry run doesn't run hook...

    Thanks a lot for the interest you show to help me
    :)
     
    ahrasis likes this.

Share This Page