search

hsmade / certbot-dns-transip

Certbot plugin to authenticate using dns TXT records via Transip API
Other
36 stars 13 forks source link

automated renewal #60

Open jasperf opened 2 months ago

jasperf commented 2 months ago

How do you do automated renewals?Wiht a shell script in a crontab run by root like:

#!/bin/bash

# Log file location
LOG_FILE="/var/log/letsencrypt/renew.log"

# Run the Docker command to renew certificates
docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.domain.com' -d 'domain.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@domain.com \
    --agree-tos \
    --eff-email >> $LOG_FILE 2>&1

# Check the exit code of the Docker command
if [ $? -eq 0 ]; then
    echo "[$(date)] Certificate renewal successful. Reloading Nginx..." >> $LOG_FILE
    # Use  systemctl reload command
    systemctl reload nginx >> $LOG_FILE 2>&1
else
    echo "[$(date)] Certificate renewal failed. Check the logs for more details." >> $LOG_FILE
    # Collect additional system info
    echo -e "\nSystem Info:" >> $LOG_FILE
    uname -a >> $LOG_FILE
    df -h >> $LOG_FILE
    free -m >> $LOG_FILE

    # Send an email notification on failure with detailed information
    SUBJECT="Certbot Renewal Failed for domain.com"
    EMAIL="admin@domain.com"
    BODY="The automatic renewal of the SSL certificate for domain.com has failed.\n\nLog Details:\n$(cat $LOG_FILE)"
    echo -e $BODY | mail -s "$SUBJECT" $EMAIL
fi

Or do you use another way? Normaly the reload is done with a post script in the cronjob as root and like

0 5 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Shell script not tested yet, but just wondering how you all take care of this.

jasperf commented 2 months ago

Split matters into two crontabs, one to run the docker image command and one for reloading, but perhaps a renewal hook can be used in /etc/letsencrypt/renewal/example.com.confand this under 

[renewalparams]:
renew_hook = systemctl reload nginx

But not sure if the Docker image picks up on that.

Using the hook in the Docker image seems to fail however

docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n --dry-run -v \
    -d '*.domain.com' -d 'domain.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@domain.com \
    --agree-tos \
    --eff-email \
    --post-hook "nginx -s reload"
Unable to find post-hook command nginx in the PATH.
(PATH is /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-voxmd2q0/log or re-run Certbot with -v for more details.

But I guess that is because Nginx is on the host system.

jasperf commented 2 months ago

No, I cannot add hook to host system /etc/letsencrypt/renewal/example.com.conf either as .. Docker will not be able to read from it. So I think I have to stick to running Docker command as shell script via one cronjob and Nginx reload via another.