certbot: check syntax in hooks just before reload

2019-09-27 09:31:22 +02:00 · 2019-09-27 09:31:22 +02:00 · 86108999c1
parent 394e28b815
commit 86108999c1
5 changed files with 45 additions and 40 deletions
--- a/certbot/files/hooks/apache.sh
+++ b/certbot/files/hooks/apache.sh
@ -13,18 +13,19 @@ debug() {
    fi
 }

-if [ -n "$(pidof apache2)" ]; then
-    apache2ctl_bin=$(command -v apache2ctl)
+apache2ctl_bin=$(command -v apache2ctl)
+
+if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then
+    if grep -r -E "letsencrypt" /etc/apache2/; then
        if ${apache2ctl_bin} configtest > /dev/null; then
-        if grep --dereference-recursive -E "^\s*SSLCertificate" /etc/apache2/sites-enabled | grep -q "letsencrypt"; then
            debug "Apache detected... reloading"
            systemctl reload apache2
-        else
-            debug "Apache doesn't use Let's Encrypt certificate. Skip."
-        fi
        else
            error "Apache config is broken, you must fix it !"
        fi
+    else
+        debug "Apache doesn't use Let's Encrypt certificate. Skip."
+    fi
 else
-    debug "Apache is not running. Skip."
+    debug "Apache is not running or missing. Skip."
 fi
--- a/certbot/files/hooks/dovecot.sh
+++ b/certbot/files/hooks/dovecot.sh
@ -13,18 +13,19 @@ debug() {
    fi
 }

-if [ -n "$(pidof dovecot)" ]; then
-    doveconf_bin=$(command -v doveconf)
-    if ${doveconf_bin} > /dev/null; then
+doveconf_bin=$(command -v doveconf)
+
+if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then
    if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
+        if ${doveconf_bin} > /dev/null; then
            debug "Dovecot detected... reloading"
            systemctl reload dovecot
-        else
-            debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
-        fi
        else
            error "Dovecot config is broken, you must fix it !"
        fi
+    else
+        debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
+    fi
 else
-    debug "Dovecot is not running. Skip."
+    debug "Dovecot is not running or missing. Skip."
 fi
--- a/certbot/files/hooks/haproxy.sh
+++ b/certbot/files/hooks/haproxy.sh
@ -17,9 +17,9 @@ if [ -z "${RENEWED_LINEAGE}" ]; then
  error "This script must be called only by certbot!"
 fi

-if [ -n "$(pidof haproxy)" ]; then
-    haproxy_bin=$(command -v haproxy)
-    if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
+haproxy_bin=$(command -v haproxy)
+
+if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
    if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
        haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"

@ -28,14 +28,15 @@ if [ -n "$(pidof haproxy)" ]; then
        chmod 600 "${haproxy_cert_file}"
        chown root: "${haproxy_cert_file}"

+        if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
            debug "HAProxy detected... reloading"
            systemctl reload apache2
-        else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
-        fi
        else
            error "HAProxy config is broken, you must fix it !"
        fi
+    else
+        error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+    fi
 else
-    debug "HAProxy is not running. Skip."
+    debug "HAProxy is not running or missing. Skip."
 fi
--- a/certbot/files/hooks/nginx.sh
+++ b/certbot/files/hooks/nginx.sh
@ -13,18 +13,19 @@ debug() {
    fi
 }

-if [ -n "$(pidof nginx)" ]; then
-    nginx_bin=$(command -v nginx)
+nginx_bin=$(command -v nginx)
+
+if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then
+    if grep --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then
        if ${nginx_bin} -t > /dev/null; then
-        if grep --dereference-recursive -E "^\s*ssl_certificate" /etc/nginx/sites-enabled | grep -q "letsencrypt"; then
            debug "Nginx detected... reloading"
            systemctl reload nginx
-        else
-            debug "Nginx doesn't use Let's Encrypt certificate. Skip."
-        fi
        else
            error "Nginx config is broken, you must fix it !"
        fi
+    else
+        debug "Nginx doesn't use Let's Encrypt certificate. Skip."
+    fi
 else
-    debug "Nginx is not running. Skip."
+    debug "Nginx is not running or missing. Skip."
 fi
--- a/certbot/files/hooks/postfix.sh
+++ b/certbot/files/hooks/postfix.sh
@ -13,18 +13,19 @@ debug() {
    fi
 }

-if [ -n "$(pidof master)" ]; then
-    postconf_bin=$(command -v postconf)
-    if ${postconf_bin} > /dev/null; then
+postconf_bin=$(command -v postconf)
+
+if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then
    if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
+        if ${postconf_bin} > /dev/null; then
            debug "Postfix detected... reloading"
            systemctl reload postfix
-        else
-            debug "Postfix doesn't use Let's Encrypt certificate. Skip."
-        fi
        else
            error "Postfix config is broken, you must fix it !"
        fi
+    else
+        debug "Postfix doesn't use Let's Encrypt certificate. Skip."
+    fi
 else
-    debug "Postfix is not running. Skip."
+    debug "Postfix is not running or missing. Skip."
 fi