Certbot renewal no env variables for hooks

[t0mtaylor]

Certbot renewal no env variables for hooks

when setting the post and deploy hook, the environment variables are not set by cerbot

$RENEWED_DOMAINS
$RENEWED_LINEAGE

I have tried printenv in the hook script and the variables dont exist

[alexzorin]

1. --post-hook doesn't set these environment variables. This is intentional, because a post-hook may be covering multiple certificates:

   If multiple renewed certificates have identical post-hooks, only one will be run.

2. --deploy-hook always sets these environment variables. If you have found a situation where this isn't a case, it would be a bug.

[harridu]

RENEWED_DOMAINS could provide a space-separated list (as indicated by the name).

About case 1:
Not sure about the pre-hooks, but apparently all post-hooks are run, even if only one cert got renewed. This can be pretty expensive. How could this be avoided in the post-hook script without information provided by certbot? It would be easy to ignore these variables in the script.

[alexzorin]

apparently all post-hooks are run, even if only one cert got renewed. This can be pretty expensive. How could this be avoided in the post-hook script without information provided by certbot

Yes, if you put pre/post hook scripts into the /etc/letsencrypt/renewal-hooks/{pre,post}/ directories, they will all be run indiscriminately (but only once each, regardless of how many certificates got renewed). They are global.

If you want to a pre/post hook which is specific only to one certificate, issuing the certificate with the --pre-hook and --post-hook CLI flags will achieve that. Certbot will remember, at the next renewal, to run those hooks, for that certificate only. The setting will be remembered in the /etc/letsencrypt/renewal/*.conf file.

[harridu]

You mean I have to put the pre- and post-hook scripts into another directory to make sure that they are run only if "their" certificate got updated? Can this still be a common directory for all certificates?

[alexzorin]

I think it's helpful to think of the pre/ and post/ directories as global. For example, if all your certificate renewals require stopping and starting nginx, then it's a way to do that in a single place.

Otherwise, anything certificate-specific should go outside of those directories and be set per-certificate, yes.

[harridu]

I wonder where this could be found in the man page?

[alexzorin]

A lot of this information is buried in https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates, but it could be improved, yes.

[lordspace]

I am testing the --deploy-hook command line argument with --dry-run and --force-renewal and my php script is NOT receiving the environment variables that it's supposed to. I have tried to access them via getenv() function and also using $_ENV and $_SERVER arrays too.

Do you have an idea why?

[alexzorin]

--dry-run does not invoke --deploy-hook.

[github-actions]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[lordspace]

Cool. Will test this in the next few weeks