Different behaviour of deploy_hook from docker shell and from certbot process

[bunnis]

Hi

I have tried for some time debug this issue but I can't seem to figure out the problem. I have searched this repo issues and found #62. I already use in my ENV the DEPLOY_HOOK, but still my script fails execution.

My issue is that I have created a script that automates the installation on a server. If I execute this in within docker' shell (docker exec -it dnsrobocert /bin/sh OR docker exec -it dnsrobocert /bin/bash) they work well.
However, the renewal process seems to have problems with it. For example, this is the failed log:

2022-03-10 23:32:01,391:INFO:certbot.compat.misc:Running deploy-hook command: /usr/local/bin/python3 -m dnsrobocert.core.hooks -t deploy -c "/tmp/tmp_9znxpiu/dnsrobocert-runtime.yml" -l "__REDACTED__"
2022-03-10 23:32:01,686:DEBUG:certbot._internal.display.obj:Notifying user: Hook 'deploy-hook' ran with output:
 uploading certificate cert.pem

 Uploading key privkey.pem

 updating certificate on NS for wildcard.__REDACTED__

 Done
2022-03-10 23:32:01,687:WARNING:certbot.display.ops:Hook 'deploy-hook' ran with error output:
 /home/root/deploy-hook.sh: 3: apk: not found
 /home/root/deploy-hook.sh: 4: apk: not found
 /home/root/deploy-hook.sh: 5: apk: not found
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed

   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed

   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
 /home/root/deploy-hook.sh: 29: ssh: not found
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed

   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
 /home/root/deploy-hook.sh: 36: ssh: not found
2022-03-10 23:32:01,687:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/__REDACTED__/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/__REDACTED__/privkey.pem
This certificate expires on 2022-06-08.
These files will be updated when the certificate renews.

If I run the script directly from docker's shell:

# ./deploy-hook.sh
./deploy-hook.sh: 1: !/bin/bash: not found
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Fetched 43.3 kB in 0s (170 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u1).
openssh-client is already the newest version (1:8.4p1-5).
0 upgraded, 0 newly installed, 0 to remove and 39 not upgraded.
whoami= root
whoami
root


uploading certificate cert.pem


Uploading key privkey.pem


adding NS pub key to known_hosts
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6


convert key to rsa
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################

 Done
writing RSA key
 Done


updating certificate on NS for wildcard.__REDACTED__
{ "errorcode": 0, "message": "Done", "severity": "NONE" }

saving config
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################

 Done
 Done


Finished upload process
#

You can clearly see the errors in the log files and the success when ran from shell. I even have tried adding the "whoami" command to see who is running this. I also have tried checking bot dnsrobocert and certbot docs but I can't figure out what is happening, maybe you can give me some pointers?

For reference, my script is below, redacted:

root@devops:/etc/letsencrypt# cat deploy-hook.sh
!/bin/sh
#make sure curl and ssh  are installed
#apk update -y
#apk --no-cache add curl
#apk add --update coreutils
#apk add openssh
apt-get update -y
apt-get install curl openssh-client -y
echo "whoami= `whoami`"
echo "whoami"
whoami
#
NS_RSA_KEY_FINGERPRINT=__REDACTED__
NSIP=__REDACTED__
NSUSER="certuser"
NSPASS="certuser"
NSCERTNAME=__REDACTED__
LOCALCERTFILE=cert.pem
LOCALCERTKEY=privkey.pem
LETSENCRYPTCERTPATH=/etc/letsencrypt/live/__REDACTED__/
NSCERTFILENAME=$(basename $(readlink ${LETSENCRYPTCERTPATH}cert.pem))
NSKEYFILENAME=$(basename $(readlink ${LETSENCRYPTCERTPATH}privkey.pem))
NSPATH="/nsconfig/ssl/"


cd $LETSENCRYPTCERTPATH
#upload certificate
echo "\n\nuploading certificate ${LOCALCERTFILE}"
curl -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/json" -d '{"systemfile":{"filename":"'${NSCERTFILENAME}'","filelocation":"'${NSPATH}'","filecontent":"'"$(base64 -w 0 ${LOCALCERTFILE})"'","fileencoding":"BASE64"}}' --insecure https://${NSIP}/nitro/v1/config/systemfile?override=yes

#upload key
echo "\n\nUploading key ${LOCALCERTKEY}"
curl -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/json" -d '{"systemfile":{"filename":"'${NSKEYFILENAME}'","filelocation":"'${NSPATH}'","filecontent":"'"$(base64 -w 0 ${LOCALCERTKEY})"'","fileencoding":"BASE64"}}' --insecure https://${NSIP}/nitro/v1/config/systemfile?override=yes

#add pub key to known_hosts for no prompts during auth (replaces  -o StrictHostKeyChecking="no")
echo "\n\nadding NS pub key to known_hosts"
mkdir -p /root/.ssh/
ssh-keyscan -H ${NSIP} > /root/.ssh/known_hosts
#convert key to RSA - assumes ssh pubkey auth
echo "\n\nconvert key to rsa"
ssh -i /home/root/.ssh/id_rsa  ${NSUSER}@${NSIP} shell openssl rsa -in ${NSPATH}${NSKEYFILENAME} -out ${NSPATH}${NSKEYFILENAME}

#update certificate for NSCERTNAME
echo "\n\nupdating certificate on NS for ${NSCERTNAME}"
curl --insecure "https://${NSIP}/nitro/v1/config/sslcertkey" -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/x-www-form-urlencoded" --data 'object={"params":{"action":"update"},"sslcertkey":{"certkey":"'${NSCERTNAME}'","cert":"'${NSCERTFILENAME}'","key":"'${NSKEYFILENAME}'","nodomaincheck":true}}'

#savec
echo "\n\nsaving config"
ssh -i /home/root/.ssh/id_rsa ${NSUSER}@${NSIP} savec


echo "\n\nFinished upload process"

[bunnis]

anyone?