Hook stdout output isn't printed or logged #4167

Open
stephenostermiller opened this Issue Feb 4, 2017 · 5 comments

Projects

None yet

2 participants

@stephenostermiller
stephenostermiller commented Feb 4, 2017 edited

I had created a certificate using a command like this:

certbot certonly --staging --agree-tos --webroot -w /var/www/example.com/ -d example.com

I created a test script for post renewal

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE"
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS"

And I run certbot to force a renewal:

$ sudo certbot --staging renew --force-renewal --renew-hook /home/steveo/config/scripts/lets-encrypt-renew-hook.sh 
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)

But my renew hook script never ran. If it had, I would expect to see it print the environment variables.

@stephenostermiller stephenostermiller changed the title from --renew-hook script never runs for certonly staging to --renew-hook script never runs for certonly staging force-renewal Feb 4, 2017
@bmw
Contributor
bmw commented Feb 6, 2017

This is a duplicate of #3947. --renew-hook is only run when renewing certificates with certbot renew, however, we're going to deprecate the flag in favor of --deploy-hook which will always be run when obtaining a new certificate.

@bmw bmw closed this Feb 6, 2017
@stephenostermiller
stephenostermiller commented Feb 6, 2017 edited

I was running certbot renew and it never got called.

@bmw
Contributor
bmw commented Feb 6, 2017

I'm sorry. I missed that in the latter part of your post. I should have read more closely.

What version of certbot are you using? Certbot should provide more output than what you posted above. Running the same commands on master, I get the following output for renew:

sudo certbot --staging renew --force-renewal --renew-hook ./test.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
Running renew-hook command: ./test.sh

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)

As for not seeing the output of renew-hook, only stderr output is printed. If you change your test script to:

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >&2
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >&2

or

#!/bin/sh
set -e 
echo "RENEWED_LINEAGE: $RENEWED_LINEAGE" >> out.txt
echo "RENEWED_DOMAINS: $RENEWED_DOMAINS" >> out.txt

you should see the output either in the terminal or in ./out.txt respectively.

@bmw bmw reopened this Feb 6, 2017
@bmw bmw added more-info and removed duplicate labels Feb 6, 2017
@stephenostermiller

I'm using the version in the Ubuntu 16.10 repositories:

$ certbot --version
certbot 0.8.1

If certbot supresses STDOUT from the script that would certainly explain why I didn't see it. I can change my script, but that seems like really dumb behavior. At the very least it should be documented as a big gotcha.

@bmw
Contributor
bmw commented Feb 7, 2017

We can potentially look into changing the behavior.

If a developer makes this change, we'd want to log stdout to logger.info.

@bmw bmw changed the title from --renew-hook script never runs for certonly staging force-renewal to Hook stdout output isn't printed or logged Feb 7, 2017
@bmw bmw added ui / ux and removed more-info labels Feb 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment