The letsencrypt::certonly defined resource produces a script with the certbot command. One of the features is to have a "cron_success_command". Let's say it is "systemctl restart httpd".
The command looks like:
certbot --keep-until-expiring --text --agree-tos --non-interactive certonly.....-d <domain> -d <domain2> --eab-kid <key id> --eab-hmac-key <key> 2>&1 | logger -t letsencrypt-new && (systemctl restart httpd)
However, if the cron runs, and certbot finds it has nothing to do:
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme.sectigo.com
Cert not yet due for renewal
Keeping the existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
That still returns an exit code of 0.
Not only that, the command is piped through "logger -t letsencrypt-renew" which also will return an exit code of 0.
So then, no matter what, the cron_success_command runs. That means the service is being restarted/reloaded/etc even if nothing changed or even if the certbot command itself fails.
The letsencrypt::certonly defined resource produces a script with the certbot command. One of the features is to have a "cron_success_command". Let's say it is "systemctl restart httpd".
The command looks like:
certbot --keep-until-expiring --text --agree-tos --non-interactive certonly.....-d <domain> -d <domain2> --eab-kid <key id> --eab-hmac-key <key> 2>&1 | logger -t letsencrypt-new && (systemctl restart httpd)However, if the cron runs, and certbot finds it has nothing to do:
That still returns an exit code of 0.
Not only that, the command is piped through "logger -t letsencrypt-renew" which also will return an exit code of 0.
So then, no matter what, the cron_success_command runs. That means the service is being restarted/reloaded/etc even if nothing changed or even if the certbot command itself fails.