Certbot and DNS with BIND and Windows: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 4: | Line 4: | ||
The below script, when run; | The below script, when run; | ||
<br /> | === Big ASH Gotcha! === | ||
If you use the preconfigured Directory Structure Let's Encrypt / Certbot provides in /etc/letsencrypt/renewal-hooks, watch out! | |||
When renewing a Certificate it automatically runs everything it finds in the above mentioned Directory, like for instance: /etc/letsencrypt/renewal-hooks/pre/WhatEver.sh | |||
In the instance of the /etc/letsencrypt/renewal/WhatEverRenewalFile below (WHICH CERTBOT AUTOMATICALLY CREATES ITSELF WHEN GETTING A NEW CERTIFICATE!!!);<syntaxhighlight lang="text"> | |||
# renew_before_expiry = 30 days | |||
version = 2.9.0 | |||
archive_dir = /etc/letsencrypt/archive/WhatEverDomain.com | |||
cert = /etc/letsencrypt/live/WhatEverDomain.com/cert.pem | |||
privkey = /etc/letsencrypt/live/WhatEverDomain.com/privkey.pem | |||
chain = /etc/letsencrypt/live/WhatEverDomain.com/chain.pem | |||
fullchain = /etc/letsencrypt/live/WhatEverDomain.com/fullchain.pem | |||
# Options used in the renewal process | |||
[renewalparams] | |||
account = WhatEverAccountNumber | |||
pref_challs = dns-01, | |||
authenticator = manual | |||
manual_auth_hook = /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh | |||
manual_cleanup_hook = /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh | |||
server = https://acme-v02.api.letsencrypt.org/directory | |||
key_type = ecdsa | |||
</syntaxhighlight>Guess how many times the WhatEver.sh Script in the /etc/letsencrypt/renewal-hooks/pre/ runs? Once, as one might think from the above Renewal Config File? Nope, TWICE! | |||
Yup, that's right. Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run. Then anything listed in the Renewal Config File will be run. Woof! | |||
'''LESSON LEARNED''': Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt!<br /> | |||
Revision as of 21:50, 1 August 2025
What a blessed hassle it is. Here's what needs to be done.
The below script, when run;
Big ASH Gotcha!
If you use the preconfigured Directory Structure Let's Encrypt / Certbot provides in /etc/letsencrypt/renewal-hooks, watch out!
When renewing a Certificate it automatically runs everything it finds in the above mentioned Directory, like for instance: /etc/letsencrypt/renewal-hooks/pre/WhatEver.sh
In the instance of the /etc/letsencrypt/renewal/WhatEverRenewalFile below (WHICH CERTBOT AUTOMATICALLY CREATES ITSELF WHEN GETTING A NEW CERTIFICATE!!!);
# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/WhatEverDomain.com
cert = /etc/letsencrypt/live/WhatEverDomain.com/cert.pem
privkey = /etc/letsencrypt/live/WhatEverDomain.com/privkey.pem
chain = /etc/letsencrypt/live/WhatEverDomain.com/chain.pem
fullchain = /etc/letsencrypt/live/WhatEverDomain.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = WhatEverAccountNumber
pref_challs = dns-01,
authenticator = manual
manual_auth_hook = /etc/letsencrypt/renewal-hooks/pre/ManualAuth.sh
manual_cleanup_hook = /etc/letsencrypt/renewal-hooks/post/ManualCleanUp.sh
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsaGuess how many times the WhatEver.sh Script in the /etc/letsencrypt/renewal-hooks/pre/ runs? Once, as one might think from the above Renewal Config File? Nope, TWICE!
Yup, that's right. Everything in the /etc/letsencrypt/renewal-hooks/pre/ will be run. Then anything listed in the Renewal Config File will be run. Woof!
LESSON LEARNED: Put hooks in a CUSTOM Directory Structure, NOT in the one provided by Let's Encrypt!