On 27 August 2017 02:30:51 GMT+02:00, "Canek Peláez Valdés" <can...@gmail.com>
wrote:
>On Sat, Aug 26, 2017 at 1:40 AM, Ian Zimmerman <i...@very.loosely.org>
>wrote:
>>
>> I don't understand the letsencrypt certbot renewal process,
>specifically
>> the hooks.
>>
>> I have two certificates: one for webserver, one for mailserver. I
>got
>> them only very recently so I until now the renewal cronjob has always
>> been a no-op, but the real thing will happen very soon. When it
>does,
>> presumably I need to have both daemons restarted so that they read
>the
>> renewed certificates. So, how do I do this? Right now my cronjob is
>> just
>>
>> certbot renew -n --standalone --preferred-challenges tls-sni
>>
>> which should renew any and all certificates when they're "close" to
>> expiring. But the documentation doesn't say if I can have multiple
>> --pre-hook and --post-hook options and what the semantics would be.
>The
>> closest it comes is:
>>
>> When renewing several certificates that have identical pre-hooks,
>only
>> the first will be executed.
>>
>> which doesn't make any sense: what does it mean for a certificate to
>> "have" a pre-hook? The pre-hook is just there on the command line,
>> there is no association with a particular certificate that a machine
>> could infer.
>>
>> The cop-out solution is to have a single pre-hook and a single
>> post-hook, which stop (resp. start) both daemons, but that is ugly.
>How
>> do people handle this?
>
>I just need to restart apache, so my daily cron job is:
>
>certbot renew --standalone --quiet \
> --pre-hook 'systemctl stop apache2.service' \
> --post-hook 'systemctl start apache2.service'
>
>With systemd, I just need one command to stop/start/restart several
>services. With OpenRC I suppose you could do:
>
>certbot renew --standalone --quiet \
> --pre-hook '/etc/init.d/apache2 stop && /etc/init.d/postfix stop' \
> --post-hook '/etc/init.d/apache2 start && /etc/init.d/postfix start'
>
>The documentation says that the hooks are "command to be run in a
>shell",
>so it should work.
>
>Another solution is to have a simple script:
>
># Controls apache and postfix: /usr/local/bin/certbot-aux
>
>if [ $# != 1 ]; then
> echo 'Need a parameter'
> exit 1
>fi
>
>/etc/init.d/apache2 ${1}
>/etc/init.d/postfix ${1}
>
>And then the cron job is:
>
>certbot renew --standalone --quiet \
> --pre-hook '/usr/local/bin/certbot-aux stop' \
> --post-hook '/usr/local/bin/certbot-aux start'
>
>Regards.
>--
>Dr. Canek Peláez Valdés
>Profesor de Carrera Asociado C
>Departamento de Matemáticas
>Facultad de Ciencias
>Universidad Nacional Autónoma de México
Your postfix is dependent on apache?
The same can be easily configured with openrc.
Having both controlled seperately makes more sense to me though.
--
Joost
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
