Home / server / Questions / 1062849
Accepted
Walf
Asked: 2021-05-07 20:31:09 +0800 CST

When using Let's Encrypt certbot, how do I restart/reload a network service only once and only if the cerificate was actually renewed?

  • 772

The certbot command provides two hooks that run after automated renewals, from the docs:

 --post-hook POST_HOOK
                       Command to be run in a shell after attempting to
                       obtain/renew certificates. Can be used to deploy
                       renewed certificates, or to restart any servers that
                       were stopped by --pre-hook. This is only run if an
                       attempt was made to obtain/renew a certificate. If
                       multiple renewed certificates have identical post-
                       hooks, only one will be run. (default: None)
 --deploy-hook DEPLOY_HOOK
                       Command to be run in a shell once for each
                       successfully issued certificate. For this command, the
                       shell variable $RENEWED_LINEAGE will point to the
                       config live subdirectory (for example,
                       "/etc/letsencrypt/live/example.com") containing the
                       new certificates and keys; the shell variable
                       $RENEWED_DOMAINS will contain a space-delimited list
                       of renewed certificate domains (for example,
                       "example.com www.example.com" (default: None)

This issue is outlined in this (now closed) LE thread and is basically about minimising interruption to services. POST_HOOK executes every time an attempt to renew is made even if no certificates were issued, though only once. This makes it possible to unnecessarily restart services. DEPLOY_HOOK runs for each and every successful certificate renewal. If one uses DEPLOY_HOOK, and has multiple certificates, each service may restart multiple times when once is enough. More info on renewal hooks here.

I use an issuance method that does not interrupt my services at all, e.g.:

certbot certonly --webroot ...

or

certbot certonly --dns-PROVIDER ...

I want to restart/reload each dependent service only once, and only if its certificate actually changed.

certbot lets-encrypt ssl-certificate-renewal

1 Answers

  1. Best Answer

    I was able to overcome this limitation by using both hooks with a simple script to save state. For example, to reload nginx, and restart vsftpd when a certificate they both use is renewed:

    certbot certonly ... \
    --deploy-hook '/usr/local/sbin/read-new-certs-services nginx --restart vsftpd' \
    --post-hook /usr/local/sbin/read-new-certs-services

    The script /usr/local/sbin/read-new-certs-services is this:

    #!/bin/sh

run_base=/run
dir_reloads="$run_base/new-cert-reloads"
dir_restarts="$run_base/new-cert-restarts"

if [ $# -gt 0 ]; then
    some=0
    dir="$dir_reloads"
    while [ $# -gt 0 ]; do
        case $1 in
            -h|--help)
                >&2 cat <<-'EOHELP'
                    Usage:

                      read-new-certs-services [-l|-s] service1 [[-l|-s] service2]
                      or
                      read-new-certs-services

                      When called without arguments, marked services will be reloaded or restarted.

                    Arguments:

                      -h, --help
                        This help.

                      -l, --reload
                        Mark all subsequently listed services for reloading. This is the default.

                      -s, --restart
                        Mark all subsequently listed services for restarting.
                    EOHELP
                exit
                ;;
            -l|--reload)
                dir="$dir_reloads"
                ;;
            -s|--restart)
                dir="$dir_restarts"
                ;;
            *)
                if [ -n "$1" ]; then
                    some=1
                    run_file="$dir/$1"
                    if [ ! -f "$run_file" ] && ! install -D /dev/null "$run_file"; then
                        >&2 echo "Service could not be marked: $run_file"
                        exit 1
                    fi
                fi
                ;;
        esac
        shift
    done
    if [ $some -eq 0 ]; then
        >&2 echo 'No service(s) specified.'
        exit 1
    fi
    exit
fi

if [ -d "$dir_restarts" ]; then
    find "$dir_restarts" -mindepth 1 -printf '%P\t%p\n' | while IFS="$(printf '\t')" read -r svc run_file; do
        systemctl restart "$svc" && rm "$run_file"
        # no need to reload as well if restarting
        run_file="$dir_reloads/$svc"
        if [ -f "$run_file" ]; then
            rm "$run_file"
        fi
    done
fi

if [ -d "$dir_reloads" ]; then
    find "$dir_reloads" -mindepth 1 -printf '%P\t%p\n' | while IFS="$(printf '\t')" read -r svc run_file; do
        systemctl reload "$svc" && rm "$run_file"
    done
fi

    This must be used for every certificate issue so that they don't use conflicting methods of restarting services.

    You can change existing certificate renewals to use this method by editing their /etc/letsencrypt/renewal/*.conf files to contain hooks like this in the [renewalparams] section:

    renew_hook = /usr/local/sbin/read-new-certs-services nginx -s vsftpd
post_hook = /usr/local/sbin/read-new-certs-services
    • 1