From 86108999c10363f8b214bda81f5703e0eee8a3be Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 27 Sep 2019 09:31:22 +0200
Subject: [PATCH] certbot: check syntax in hooks just before reload

---
 certbot/files/hooks/apache.sh  | 15 ++++++++-------
 certbot/files/hooks/dovecot.sh | 15 ++++++++-------
 certbot/files/hooks/haproxy.sh | 25 +++++++++++++------------
 certbot/files/hooks/nginx.sh   | 15 ++++++++-------
 certbot/files/hooks/postfix.sh | 15 ++++++++-------
 5 files changed, 45 insertions(+), 40 deletions(-)

diff --git a/certbot/files/hooks/apache.sh b/certbot/files/hooks/apache.sh
index 765943e0..86b2c10d 100644
--- a/certbot/files/hooks/apache.sh
+++ b/certbot/files/hooks/apache.sh
@@ -13,18 +13,19 @@ debug() {
     fi
 }
 
-if [ -n "$(pidof apache2)" ]; then
-    apache2ctl_bin=$(command -v apache2ctl)
-    if ${apache2ctl_bin} configtest > /dev/null; then
-        if grep --dereference-recursive -E "^\s*SSLCertificate" /etc/apache2/sites-enabled | grep -q "letsencrypt"; then
+apache2ctl_bin=$(command -v apache2ctl)
+
+if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then
+    if grep -r -E "letsencrypt" /etc/apache2/; then
+        if ${apache2ctl_bin} configtest > /dev/null; then
             debug "Apache detected... reloading"
             systemctl reload apache2
         else
-            debug "Apache doesn't use Let's Encrypt certificate. Skip."
+            error "Apache config is broken, you must fix it !"
         fi
     else
-        error "Apache config is broken, you must fix it !"
+        debug "Apache doesn't use Let's Encrypt certificate. Skip."
     fi
 else
-    debug "Apache is not running. Skip."
+    debug "Apache is not running or missing. Skip."
 fi
diff --git a/certbot/files/hooks/dovecot.sh b/certbot/files/hooks/dovecot.sh
index ffed2994..d09e668c 100644
--- a/certbot/files/hooks/dovecot.sh
+++ b/certbot/files/hooks/dovecot.sh
@@ -13,18 +13,19 @@ debug() {
     fi
 }
 
-if [ -n "$(pidof dovecot)" ]; then
-    doveconf_bin=$(command -v doveconf)
-    if ${doveconf_bin} > /dev/null; then
-        if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
+doveconf_bin=$(command -v doveconf)
+
+if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then
+    if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
+        if ${doveconf_bin} > /dev/null; then
             debug "Dovecot detected... reloading"
             systemctl reload dovecot
         else
-            debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
+            error "Dovecot config is broken, you must fix it !"
         fi
     else
-        error "Dovecot config is broken, you must fix it !"
+        debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
     fi
 else
-    debug "Dovecot is not running. Skip."
+    debug "Dovecot is not running or missing. Skip."
 fi
diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh
index b6023bfc..20d68fde 100644
--- a/certbot/files/hooks/haproxy.sh
+++ b/certbot/files/hooks/haproxy.sh
@@ -17,25 +17,26 @@ if [ -z "${RENEWED_LINEAGE}" ]; then
   error "This script must be called only by certbot!"
 fi
 
-if [ -n "$(pidof haproxy)" ]; then
-    haproxy_bin=$(command -v haproxy)
-    if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
-        if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
-            haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
+haproxy_bin=$(command -v haproxy)
 
-            debug "Concatenating certificate files to ${haproxy_cert_file}"
-            cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
-            chmod 600 "${haproxy_cert_file}"
-            chown root: "${haproxy_cert_file}"
+if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
+    if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
+        haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
 
+        debug "Concatenating certificate files to ${haproxy_cert_file}"
+        cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
+        chmod 600 "${haproxy_cert_file}"
+        chown root: "${haproxy_cert_file}"
+
+        if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
             debug "HAProxy detected... reloading"
             systemctl reload apache2
         else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+            error "HAProxy config is broken, you must fix it !"
         fi
     else
-        error "HAProxy config is broken, you must fix it !"
+        error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
     fi
 else
-    debug "HAProxy is not running. Skip."
+    debug "HAProxy is not running or missing. Skip."
 fi
diff --git a/certbot/files/hooks/nginx.sh b/certbot/files/hooks/nginx.sh
index ff78166a..4c212634 100644
--- a/certbot/files/hooks/nginx.sh
+++ b/certbot/files/hooks/nginx.sh
@@ -13,18 +13,19 @@ debug() {
     fi
 }
 
-if [ -n "$(pidof nginx)" ]; then
-    nginx_bin=$(command -v nginx)
-    if ${nginx_bin} -t > /dev/null; then
-        if grep --dereference-recursive -E "^\s*ssl_certificate" /etc/nginx/sites-enabled | grep -q "letsencrypt"; then
+nginx_bin=$(command -v nginx)
+
+if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then
+    if grep --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then
+        if ${nginx_bin} -t > /dev/null; then
             debug "Nginx detected... reloading"
             systemctl reload nginx
         else
-            debug "Nginx doesn't use Let's Encrypt certificate. Skip."
+            error "Nginx config is broken, you must fix it !"
         fi
     else
-        error "Nginx config is broken, you must fix it !"
+        debug "Nginx doesn't use Let's Encrypt certificate. Skip."
     fi
 else
-    debug "Nginx is not running. Skip."
+    debug "Nginx is not running or missing. Skip."
 fi
diff --git a/certbot/files/hooks/postfix.sh b/certbot/files/hooks/postfix.sh
index 68948d0a..f08a0334 100644
--- a/certbot/files/hooks/postfix.sh
+++ b/certbot/files/hooks/postfix.sh
@@ -13,18 +13,19 @@ debug() {
     fi
 }
 
-if [ -n "$(pidof master)" ]; then
-    postconf_bin=$(command -v postconf)
-    if ${postconf_bin} > /dev/null; then
-        if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
+postconf_bin=$(command -v postconf)
+
+if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then
+    if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
+        if ${postconf_bin} > /dev/null; then
             debug "Postfix detected... reloading"
             systemctl reload postfix
         else
-            debug "Postfix doesn't use Let's Encrypt certificate. Skip."
+            error "Postfix config is broken, you must fix it !"
         fi
     else
-        error "Postfix config is broken, you must fix it !"
+        debug "Postfix doesn't use Let's Encrypt certificate. Skip."
     fi
 else
-    debug "Postfix is not running. Skip."
+    debug "Postfix is not running or missing. Skip."
 fi