Run commands after SSL cert renewal

Hello!

I run DNS over TLS for BIND.

BIND uses one of the certficates of a virtualmin domain.

by default BIND cannot read these certificates because of a permissions issue. And thus BIND will fail to start.

I fix it with these commands:

setfacl -R -m u:named:rX /etc/letsencrypt/{live,archive}/
setfacl -m u:named:rX /etc/letsencrypt/{live,archive}

Can I use certbot renew --deploy-hook for this or do I need to use something virtualmin specific?

I want to have a script that runs those commands after renewal.

Or how can I set permissions for those folders and certs be persistent?

You cannot use certbot directly for certificate management if Virtualmin is managing your certs.

See this discussion of the same question: Custom actions with Virtualmin's Letsencypt renewals? - #2 by Joe

So like this?

if [ "$VIRTUALSERVER_ACTION" = "SSL_DOMAIN" ]; then
	setfacl -R -m u:named:rX /etc/letsencrypt/{live,archive}/
	setfacl -m u:named:rX /etc/letsencrypt/{live,archive}
fi

If so where do I put this?

I answered that question in that thread, too. Custom actions with Virtualmin's Letsencypt renewals? - #4 by Joe

It doesn’t matter where you put it, as long as Virtualmin has the full path to find it in the command to run field.

I usually put this kind of thing in /usr/local/bin or /usr/local/sbin, but it doesn’t matter as long as you tell Virtualmin where to find it.

So now I created:

#!/bin/bash
if [ "$VIRTUALSERVER_ACTION" = "SSL_DOMAIN" ]; then
	setfacl -R -m u:named:rX /etc/letsencrypt/{live,archive}/
	setfacl -m u:named:rX /etc/letsencrypt/{live,archive}
fi

and chmod +x namedpermissions.sh

and put the path in Command to run after making changes to a server

Does it know that VIRTUALSERVER_ACTION" = "SSL_DOMAIN is in reference to itself? In other words does it know that the command refers to itself for something that it was doing previously? which is the whole point I guess.

This is a bit over my head, maybe I will just run a cron.

I don’t think I understand what you mean. That is a variable that is set by Virtualmin before it runs any command that has been configured to run. As discussed in that thread, when a certificate is renewed, the variable will be set to SSL_DOMAIN, and when a new domain is created it will be set to CREATE_DOMAIN, etc.

A script like this won’t do anything if called without that variable set (as it will never satisfy the test condition of being equal to SSL_DOMAIN, as it will be empty).