Open alexandre1985 opened 6 years ago
For --renew-hook (right now) acme.sh changes directory to the certificate directory (equivalent of $RENEWED_LINEAGE) before running your hook, so you should be able to use $(pwd) in its place. I'm not sure if that's subject to change, but it's how I've been running things for the moment.
It's slightly simpler using a --deploy-hook script ($* includes all the important info) but I couldn't find solid info on when it runs and wanted to avoid deployment on a non-renewal.
My script right now is:
#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem
acmehome=/root/.acme.sh
domain=$(basename $(pwd))
set noglob
if [[ "${domain}" == "" ]]; then
echo "Error: missing domain variable." >&2
exit 1
fi
umask 077
cat "${acmehome}/${domain}/${domain}.key" \
"${acmehome}/${domain}/fullchain.cer" \
"${dhparams}" > "${acmehome}/${domain}/hitch-bundle.pem"
and when I run:
acme.sh --issue -d mydomain.com -d '*.mydomain.com' --renew-hook '/usr/local/bin/hitch-renew-hook' --post-hook 'systemctl reload hitch' --dns dns_dynu --force
the certification creation is successful but it doesn't create my hitch-bundle.pem
file
NOTE: When the certification is created I get this final ouput:
[Thu Apr 26 18:47:32 UTC 2018] Your cert is in /root/.acme.sh/mydomain.com/mydomain.com.cer [Thu Apr 26 18:47:32 UTC 2018] Your cert key is in /root/.acme.sh/mydomain.com/mydomain.com.key [Thu Apr 26 18:47:32 UTC 2018] The intermediate CA cert is in /root/.acme.sh/mydomain.com/ca.cer [Thu Apr 26 18:47:32 UTC 2018] And the full chain certs is there: /root/.acme.sh/mydomain.com/fullchain.cer [Thu Apr 26 18:47:34 UTC 2018] Run post hook:'systemctl reload hitch'
The ouput says nothing about "Run renew hook: ..."
That's right - during an --issue action the --renew-hook script isn't run as technically the certificate is only issued, not renewed.
It's not ideal but what I do when issuing a new certificate is immediately force a renewal with --renew --force to trigger the renew hook. You can also run your script manually the first time from the certificate directory.
FYI if $(pwd)
is correct you can replace your ${acmehome}/${domain}/fullchain.cer
code with just $(pwd)/fullchain.cer
and not have to hard-code your acmehome directory in the script, if portability is important e.g. if you decide to run under Docker.
I am running a script on
--renew-hook
and that script is this:The script works with
certbot
--renew-hook
but inacme.sh
isn't doing what it is supposed to do (can't find hitch-bundle.pem). I believe the problem seems that${RENEWED_LINEAGE}
is a certbot variable only, and inacme.sh
I need a similar variable to get the directory of the certificates