search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.99k stars 4.94k forks source link

$RENEWED_LINEAGE equivalent on acme.sh #1534

Open alexandre1985 opened 6 years ago

alexandre1985 commented 6 years ago

I am running a script on --renew-hook and that script is this:

#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem

if [[ "${RENEWED_LINEAGE}" == "" ]]; then
    echo "Error: missing RENEWED_LINEAGE env variable." >&2
    exit 1
fi

umask 077
cat ${RENEWED_LINEAGE}/test.com.key \
${RENEWED_LINEAGE}/fullchain.cer \
${dhparams} > ${RENEWED_LINEAGE}/hitch-bundle.pem

The script works with certbot --renew-hook but in acme.sh isn't doing what it is supposed to do (can't find hitch-bundle.pem). I believe the problem seems that ${RENEWED_LINEAGE} is a certbot variable only, and in acme.sh I need a similar variable to get the directory of the certificates

farces commented 6 years ago

For --renew-hook (right now) acme.sh changes directory to the certificate directory (equivalent of $RENEWED_LINEAGE) before running your hook, so you should be able to use $(pwd) in its place. I'm not sure if that's subject to change, but it's how I've been running things for the moment.

It's slightly simpler using a --deploy-hook script ($* includes all the important info) but I couldn't find solid info on when it runs and wanted to avoid deployment on a non-renewal.

https://github.com/Neilpang/acme.sh/blob/838d3ddc173db4f4c6481df06f3101c183f035f8/acme.sh#L3174-L3183

alexandre1985 commented 6 years ago

My script right now is:

#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem
acmehome=/root/.acme.sh
domain=$(basename $(pwd))
set noglob

if [[ "${domain}" == "" ]]; then
    echo "Error: missing domain variable." >&2
    exit 1
fi

umask 077

cat "${acmehome}/${domain}/${domain}.key" \
"${acmehome}/${domain}/fullchain.cer" \
"${dhparams}" > "${acmehome}/${domain}/hitch-bundle.pem"

and when I run:

acme.sh --issue -d mydomain.com -d '*.mydomain.com' --renew-hook '/usr/local/bin/hitch-renew-hook' --post-hook 'systemctl reload hitch' --dns dns_dynu --force

the certification creation is successful but it doesn't create my hitch-bundle.pem file

NOTE: When the certification is created I get this final ouput:

[Thu Apr 26 18:47:32 UTC 2018] Your cert is in /root/.acme.sh/mydomain.com/mydomain.com.cer [Thu Apr 26 18:47:32 UTC 2018] Your cert key is in /root/.acme.sh/mydomain.com/mydomain.com.key [Thu Apr 26 18:47:32 UTC 2018] The intermediate CA cert is in /root/.acme.sh/mydomain.com/ca.cer [Thu Apr 26 18:47:32 UTC 2018] And the full chain certs is there: /root/.acme.sh/mydomain.com/fullchain.cer [Thu Apr 26 18:47:34 UTC 2018] Run post hook:'systemctl reload hitch'

The ouput says nothing about "Run renew hook: ..."

farces commented 6 years ago

That's right - during an --issue action the --renew-hook script isn't run as technically the certificate is only issued, not renewed.

It's not ideal but what I do when issuing a new certificate is immediately force a renewal with --renew --force to trigger the renew hook. You can also run your script manually the first time from the certificate directory.

FYI if $(pwd) is correct you can replace your ${acmehome}/${domain}/fullchain.cer code with just $(pwd)/fullchain.cer and not have to hard-code your acmehome directory in the script, if portability is important e.g. if you decide to run under Docker.