Email notifications #70

New Issue

Closed

opened 2025-12-29 00:24:07 +01:00 by adam · 10 comments

adam commented 2025-12-29 00:24:07 +01:00

Owner

Copy Link

Originally created by @bviktor on GitHub (Mar 2, 2016).

Hi,

your script seems very well maintained and I'm against duplicating efforts so I'd like to eliminate the need for my own LE renewal script.

I think we agree that automating SSL renewals without actually checking if they succeed or not is pretty brave. For this reason it's essential to have email notifications for every renewal event.

I'd love to open a PR but your script is rather extensive and unfortunately I don't have the capacity to analyze it and test things out ATM.

So in hopes that it'll be helpful, here's my script:

https://github.com/bviktor/le-renew

I'd like to add some quick pointers to make it easier. You shall add to config.sh:

#RCPT=${CONTACT_EMAIL}
SMTP_HOST=
SMTP_SENDER=
SMTP_USER= # this is not necessarily the best choice of words, because this includes the password as well

And for the script itself, the following:

• A temp mail file that's deleted before each run ($MAIL_FILE in my script)
• mail_header ()
• mail_footer ()
• mail_echo ()
• check_cert ()

Then

check_cert
mail_echo <result: failure or success>
mail_echo <if failure, error message as well>

for every domain, and

mail_footer
curl ${CURL_FLAGS} --ssl-reqd --mail-from ${SMTP_SENDER} --mail-rcpt ${RCPT} --user ${SMTP_USER} --upload-file ${MAIL_FILE} --url ${SMTP_HOST}

to every exit point (finish () in my script).

I'm not a big fan of HTML emails, but for these alerts it's very-very useful to make failures easy to spot. Screenshots:

---

---

---

Also, there's room for improvement, because SMTPS should be optional IMO. Not because I'm against security, but because some people may use an intranet SMTP relay, in which case SSL is unnecessary. E.g.

if [ ${SMTP_SSL} -eq 1 ]
then
    CURL_FLAGS="${CURL_FLAGS} --ssl-reqd"
fi

Looking forward to your opinion, thanks.

Originally created by @bviktor on GitHub (Mar 2, 2016). Hi, your script seems very well maintained and I'm against duplicating efforts so I'd like to eliminate the need for my own LE renewal script. I think we agree that automating SSL renewals without actually checking if they succeed or not is pretty brave. For this reason it's essential to have email notifications for every renewal event. I'd love to open a PR but your script is rather extensive and unfortunately I don't have the capacity to analyze it and test things out ATM. So in hopes that it'll be helpful, here's my script: https://github.com/bviktor/le-renew I'd like to add some quick pointers to make it easier. You shall add to `config.sh`: ``` #RCPT=${CONTACT_EMAIL} SMTP_HOST= SMTP_SENDER= SMTP_USER= # this is not necessarily the best choice of words, because this includes the password as well ``` And for the script itself, the following: - A temp mail file that's deleted before each run (`$MAIL_FILE` in my script) - `mail_header ()` - `mail_footer ()` - `mail_echo ()` - `check_cert ()` Then ``` check_cert mail_echo <result: failure or success> mail_echo <if failure, error message as well> ``` for every domain, and ``` mail_footer curl ${CURL_FLAGS} --ssl-reqd --mail-from ${SMTP_SENDER} --mail-rcpt ${RCPT} --user ${SMTP_USER} --upload-file ${MAIL_FILE} --url ${SMTP_HOST} ``` to every exit point (`finish ()` in my script). I'm not a big fan of HTML emails, but for these alerts it's very-very useful to make failures easy to spot. Screenshots: --- <img src="http://imgur.com/rgdPu5U.png" /> --- <img src="http://imgur.com/R1NzZY7.png" /> --- Also, there's room for improvement, because SMTPS should be optional IMO. Not because I'm against security, but because some people may use an intranet SMTP relay, in which case SSL is unnecessary. E.g. ``` if [ ${SMTP_SSL} -eq 1 ] then CURL_FLAGS="${CURL_FLAGS} --ssl-reqd" fi ``` Looking forward to your opinion, thanks.

adam closed this issue 2025-12-29 00:24:08 +01:00

adam commented 2025-12-29 00:24:09 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Mar 5, 2016):

Mh... since there is already a hook for successfully renewed certs and a pull-request for unchanged ones we may as well just add a hook for failed renewal.
With that hook it should be very easy to do this in an external script, which I think is better than integrating it into the main script (trying to keep it simple to reduce chance of bugs).

@lukas2511 commented on GitHub (Mar 5, 2016): Mh... since there is already a hook for successfully renewed certs and a pull-request for unchanged ones we may as well just add a hook for failed renewal. With that hook it should be very easy to do this in an external script, which I think is better than integrating it into the main script (trying to keep it simple to reduce chance of bugs).

adam commented 2025-12-29 00:24:10 +01:00

Author

Owner

Copy Link

@Sjd-Risca commented on GitHub (Mar 7, 2016):

I'd like as well to have the email option, but by external hooks is the best way. KISS!

@Sjd-Risca commented on GitHub (Mar 7, 2016): I'd like as well to have the email option, but by external hooks is the best way. KISS!

adam commented 2025-12-29 00:24:10 +01:00

Author

Owner

Copy Link

@bviktor commented on GitHub (Mar 7, 2016):

I'd like to point out that the script should send emails upon success as well, because if you only send mails upon failure and you don't receive an email, that could mean 2 things:

a) the renewal succeeded
b) both the renewal and email sending failed

If you send emails both upon success and failure, it's clear that's something's going on when you don't receive an email.

@bviktor commented on GitHub (Mar 7, 2016): I'd like to point out that the script should send emails upon success as well, because if you only send mails upon failure and you don't receive an email, that could mean 2 things: a) the renewal succeeded b) both the renewal **and** email sending failed If you send emails **both** upon success and failure, it's clear that's something's going on when you don't receive an email.

adam commented 2025-12-29 00:24:11 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Mar 18, 2016):

I'm closing this since it's a lot better to do this with hooks.

Feel free to open issues for missing hooks, but please take a look at currently open pull-requests first since there are a few new hooks will soon be merged.

@lukas2511 commented on GitHub (Mar 18, 2016): I'm closing this since it's a lot better to do this with hooks. Feel free to open issues for missing hooks, but please take a look at currently open pull-requests first since there are a few new hooks will soon be merged.

adam commented 2025-12-29 00:24:15 +01:00

Author

Owner

Copy Link

@bviktor commented on GitHub (May 13, 2016):

So um, is this supposed to be a deploy_cert hook?

@bviktor commented on GitHub (May 13, 2016): So um, is this supposed to be a deploy_cert hook?

adam commented 2025-12-29 00:24:16 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (May 16, 2016):

@bviktor yes, if you want to be notified when a certificate changes you'd add your code as a deploy_cert hook. i'd also suggest using something like cronwrap so you can catch any kind of error when using the script as a cronjob.

@lukas2511 commented on GitHub (May 16, 2016): @bviktor yes, if you want to be notified when a certificate changes you'd add your code as a deploy_cert hook. i'd also suggest using something like cronwrap so you can catch any kind of error when using the script as a cronjob.

adam commented 2025-12-29 00:24:16 +01:00

Author

Owner

Copy Link

@bviktor commented on GitHub (Jun 30, 2016):

Is there a way for the hook to query the path of the resulting cert or should I just use /etc/letsencrypt/live/$DOMAIN_NAME/cert.pem ?

@bviktor commented on GitHub (Jun 30, 2016): Is there a way for the hook to query the path of the resulting cert or should I just use `/etc/letsencrypt/live/$DOMAIN_NAME/cert.pem` ?

adam commented 2025-12-29 00:24:16 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Jul 1, 2016):

@bviktor read https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/examples/hook.sh

@lukas2511 commented on GitHub (Jul 1, 2016): @bviktor read https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/examples/hook.sh

adam commented 2025-12-29 00:24:16 +01:00

Author

Owner

Copy Link

@bviktor commented on GitHub (Jul 1, 2016):

I'm a bit confused. For $3 this says

For DNS validation, this is what you want to put in the _acme-challenge TXT record.

and there's no $4 at all.

OTOH dns-verification.md says:

$3 is a "challenge token" (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain

Which one is right? :) Or am I missing something here?

@bviktor commented on GitHub (Jul 1, 2016): I'm a bit confused. For $3 this says ``` For DNS validation, this is what you want to put in the _acme-challenge TXT record. ``` and there's no $4 at all. OTOH dns-verification.md says: ``` $3 is a "challenge token" (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain ``` Which one is right? :) Or am I missing something here?

adam commented 2025-12-29 00:24:17 +01:00

Author

Owner

Copy Link

@bviktor commented on GitHub (Jul 1, 2016):

Nevermind, I'm dumb, sorry :)

@bviktor commented on GitHub (Jul 1, 2016): Nevermind, I'm dumb, sorry :)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#70