New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hook stdout output isn't printed or logged #4167

Closed
stephenostermiller opened this Issue Feb 4, 2017 · 6 comments

Comments

Projects
None yet
2 participants
@stephenostermiller

stephenostermiller commented Feb 4, 2017

I had created a certificate using a command like this:

certbot certonly --staging --agree-tos --webroot -w /var/www/example.com/ -d example.com

I created a test script for post renewal

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE"
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS"

And I run certbot to force a renewal:

$ sudo certbot --staging renew --force-renewal --renew-hook /home/steveo/config/scripts/lets-encrypt-renew-hook.sh 
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)

But my renew hook script never ran. If it had, I would expect to see it print the environment variables.

@stephenostermiller stephenostermiller changed the title from --renew-hook script never runs for certonly staging to --renew-hook script never runs for certonly staging force-renewal Feb 4, 2017

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Feb 6, 2017

Contributor

This is a duplicate of #3947. --renew-hook is only run when renewing certificates with certbot renew, however, we're going to deprecate the flag in favor of --deploy-hook which will always be run when obtaining a new certificate.

Contributor

bmw commented Feb 6, 2017

This is a duplicate of #3947. --renew-hook is only run when renewing certificates with certbot renew, however, we're going to deprecate the flag in favor of --deploy-hook which will always be run when obtaining a new certificate.

@bmw bmw closed this Feb 6, 2017

@stephenostermiller

This comment has been minimized.

Show comment
Hide comment
@stephenostermiller

stephenostermiller Feb 6, 2017

I was running certbot renew and it never got called.

stephenostermiller commented Feb 6, 2017

I was running certbot renew and it never got called.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Feb 6, 2017

Contributor

I'm sorry. I missed that in the latter part of your post. I should have read more closely.

What version of certbot are you using? Certbot should provide more output than what you posted above. Running the same commands on master, I get the following output for renew:

sudo certbot --staging renew --force-renewal --renew-hook ./test.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
Running renew-hook command: ./test.sh

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)

As for not seeing the output of renew-hook, only stderr output is printed. If you change your test script to:

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >&2
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >&2

or

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >> out.txt
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >> out.txt

you should see the output either in the terminal or in ./out.txt respectively.

Contributor

bmw commented Feb 6, 2017

I'm sorry. I missed that in the latter part of your post. I should have read more closely.

What version of certbot are you using? Certbot should provide more output than what you posted above. Running the same commands on master, I get the following output for renew:

sudo certbot --staging renew --force-renewal --renew-hook ./test.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
Running renew-hook command: ./test.sh

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)

As for not seeing the output of renew-hook, only stderr output is printed. If you change your test script to:

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >&2
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >&2

or

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >> out.txt
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >> out.txt

you should see the output either in the terminal or in ./out.txt respectively.

@bmw bmw reopened this Feb 6, 2017

@bmw bmw added more-info and removed duplicate labels Feb 6, 2017

@stephenostermiller

This comment has been minimized.

Show comment
Hide comment
@stephenostermiller

stephenostermiller Feb 6, 2017

I'm using the version in the Ubuntu 16.10 repositories:

$ certbot --version
certbot 0.8.1

If certbot supresses STDOUT from the script that would certainly explain why I didn't see it. I can change my script, but that seems like really dumb behavior. At the very least it should be documented as a big gotcha.

I'm using the version in the Ubuntu 16.10 repositories:

$ certbot --version
certbot 0.8.1

If certbot supresses STDOUT from the script that would certainly explain why I didn't see it. I can change my script, but that seems like really dumb behavior. At the very least it should be documented as a big gotcha.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Feb 7, 2017

Contributor

We can potentially look into changing the behavior.

If a developer makes this change, we'd want to log stdout to logger.info.

Contributor

bmw commented Feb 7, 2017

We can potentially look into changing the behavior.

If a developer makes this change, we'd want to log stdout to logger.info.

@bmw bmw changed the title from --renew-hook script never runs for certonly staging force-renewal to Hook stdout output isn't printed or logged Feb 7, 2017

@bmw bmw added area: ui / ux and removed more-info labels Feb 7, 2017

Faerbit added a commit to Faerbit/certbot that referenced this issue May 22, 2017

bmw added a commit that referenced this issue May 22, 2017

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw May 22, 2017

Contributor

Fixed in #4702.

Contributor

bmw commented May 22, 2017

Fixed in #4702.

@bmw bmw closed this May 22, 2017

@bmw bmw added this to the 0.15.0 milestone May 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment