6

I have installed certbot, and certbot makes it's own systemd service file "certbot.service" for auto cert renew, which is started trough a .timer file once a day.

After this "certbot.service" is sucessfully executed I like to execute a second one ("cert-copy-after-certbot.service") that copys the certificate to another place.

Currently my setting looks like this:

"certbot.service" (gernerated by certbot):

pi@raspberrypi:/lib/systemd/system $ cat certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

"cert-copy-after-certbot.service":

pi@raspberrypi:/etc/systemd/system $ cat cert-copy-after-certbot.service
[Unit]
Description=crt update after certbot has run
Wants=certbot.service
After=certbot.service

[Service]
Type=simple
ExecStart=/bin/sh -c "cat /etc/letsencrypt/live/<mydomain>/privkey.pem  /etc/letsencrypt/live/<mydomain>/fullchain.pem > /etc/ejabberd/ejabberd.pem"

If i run this files with:

systemctl start <unitname>

Both services are working.

But when I start certbot with "systemctl start certbot" and check

systemctl status cert-copy-after-certbot

the cert-copy-after-certbot.service didn't run.

Did i configured something wrong?

chao-samu
  • 153
  • 2
  • 7
  • Note that Certbot now supports [hooks](https://certbot.eff.org/docs/using.html#renewing-certificates) to allow you to perform actions such as deploying certificates to other services after a successful renewal. – Sean Jun 29 '21 at 14:51

2 Answers2

7

I found the solution, so here the answer just if someone has the same issue.

The problem is that the "certbot.service" unit don't know about "cert-copy-after-certbot.service". So if "certbot.service" is called no one calls the inactive "cert-copy-after-certbot.service" because the "Wants=" is never executed.

So if you don't wan't to alter the "certbot.service" unit (with "Wants=cert-copy-after-certbot.service", you can do the following.

Add an additional [Install] section in "cert-copy-after-certbot.service", with a line "WantedBy=cerbot.service". So that the file look like this:

pi@raspberrypi:/etc/systemd/system $ cat cert-copy-after-certbot.service
[Unit]
Description=crt update after certbot has run
After=certbot.service

[Service]
Type=simple
ExecStart=/bin/sh -c "cat /etc/letsencrypt/live/<mydomain>/privkey.pem/etc/letsencrypt/live/<mydomain>/fullchain.pem > /etc/ejabberd/ejabberd.pem"

[Install]
WantedBy=certbot.service

An install section requires an enable or disable call by systemctl (or start or stop for temporary testing).

systemctl enable cert-copy-after-certbot

This [Install] section will create a symbolic link as soon as you enable the unit that informs the systemd deamon if "certbot.service" is called, he have to call "cert-copy-after-certbot.service" to. (And the "After=" in the unit section tells systemd the row in which the sould called, without it, both units would run simultaneously)

chao-samu
  • 153
  • 2
  • 7
-1

You might find that cert-copy-after-certbot.service is started before cerbot.service is complete unless you also set RemainAfterExit=yes in cerbot.service

Sam Liddicott
  • 1,265
  • 12
  • 24