Fix FAILED_DOMAINS truncation writing to wrong variable

hooks.py line 179 truncated into renewed_sans_str instead of failed_sans_str, so RENEWED_DOMAINS was clobbered with failed domains and FAILED_DOMAINS was never actually limited.
2026-05-28 04:34:11 -04:00 · 2026-04-21 10:32:31 -07:00 · 2026-04-21 10:32:31 -07:00 · b20b1a0d49
commit b20b1a0d49
parent 3a5c92c6be
3 changed files with 20 additions and 1 deletions
--- a/certbot/src/certbot/_internal/hooks.py
+++ b/certbot/src/certbot/_internal/hooks.py
@ -176,7 +176,7 @@ def run_saved_post_hooks(renewed_sans: list[san.SAN], failed_sans: list[san.SAN]

    if len(failed_sans_str) > 16_000:
        logger.warning("Limiting FAILED_DOMAINS environment variable to 16k characters")
-        renewed_sans_str = failed_sans_str[:16_000]
+        failed_sans_str = failed_sans_str[:16_000]

    for cmd in post_hooks:
        _run_hook(
--- a/certbot/src/certbot/_internal/tests/hook_test.py
+++ b/certbot/src/certbot/_internal/tests/hook_test.py
@ -313,6 +313,24 @@ class RunSavedPostHooksTest(HookTest):
        assert mock_execute.call_args.kwargs['env']["RENEWED_DOMAINS"] == "success.org"
        assert mock_execute.call_args.kwargs['env']["FAILED_DOMAINS"] == "failed.org"

+    def test_env_truncation_oversize_failed(self):
+        self.eventually = ["foo"]
+        renewed = ["success.org"]
+        failed = [f"fail{i}.example.com" for i in range(1000)]
+        mock_execute = self._call_with_mock_execute_and_eventually(renewed, failed)
+        env = mock_execute.call_args.kwargs['env']
+        assert env["RENEWED_DOMAINS"] == "success.org"
+        assert len(env["FAILED_DOMAINS"]) <= 16_000
+
+    def test_env_truncation_oversize_renewed(self):
+        self.eventually = ["foo"]
+        renewed = [f"renew{i}.example.com" for i in range(1000)]
+        failed = ["failed.org"]
+        mock_execute = self._call_with_mock_execute_and_eventually(renewed, failed)
+        env = mock_execute.call_args.kwargs['env']
+        assert len(env["RENEWED_DOMAINS"]) <= 16_000
+        assert env["FAILED_DOMAINS"] == "failed.org"
+

 class RenewalHookTest(HookTest):
    """Common base class for testing deploy/renew hooks."""
--- a/newsfragments/10623.fixed
+++ b/newsfragments/10623.fixed
@ -0,0 +1 @@
+Fixed run_saved_post_hooks truncating the wrong variable when the joined failed-domain string exceeds 16k characters, which corrupted RENEWED_DOMAINS and left FAILED_DOMAINS untruncated.
				`@ -0,0 +1 @@`
				`Fixed run_saved_post_hooks truncating the wrong variable when the joined failed-domain string exceeds 16k characters, which corrupted RENEWED_DOMAINS and left FAILED_DOMAINS untruncated.`