add flag to run deploy hook despite doing a dry run, and recommend setting that to yes when running reconfigure and modifying the deploy hook

2026-06-09 08:42:57 -04:00 · 2022-11-23 12:03:25 -08:00 · 2022-11-23 12:03:25 -08:00 · eb932e1a41
commit eb932e1a41
parent 610b9aec5c
4 changed files with 26 additions and 9 deletions
--- a/certbot/certbot/_internal/cli/init.py
+++ b/certbot/certbot/_internal/cli/init.py
@ -162,6 +162,16 @@ def prepare_and_parse_args(plugins: plugins_disco.PluginsRegistry, args: List[st
             " roll back those changes.  It also calls --pre-hook and --post-hook commands"
             " if they are defined because they may be necessary to accurately simulate"
             " renewal. --deploy-hook commands are not called.")
+    helpful.add(
+        ["testing", "renew", "certonly", "reconfigure"],
+        "--run-deploy-hook", action="store_true", dest="run_deploy_hook",
+        default=flag_default("run_deploy_hook"),
+        help="When performing a test run using `--dry-run` or `reconfigure`, run any applicable"
+             " deploy hooks. This includes hooks set on the command line, saved in the"
+             " certificate's renewal configuration file, or present in the renewal-hooks directory."
+             " To exclude direcory hooks, use --no-directory-hooks. The hook(s) will only"
+             " be run if the dry run succeeds. This flag is recommended when modifying the deploy"
+             " hook using `reconfigure`.")
    helpful.add(
        ["register", "automation"], "--register-unsafely-without-email", action="store_true",
        default=flag_default("register_unsafely_without_email"),
--- a/certbot/certbot/_internal/constants.py
+++ b/certbot/certbot/_internal/constants.py
@ -80,6 +80,7 @@ CLI_DEFAULTS: Dict[str, Any] = dict(  # noqa
    eab_hmac_key=None,
    eab_kid=None,
    issuance_timeout=90,
+    run_deploy_hook=False,

    # Subparsers
    num=None,
--- a/certbot/certbot/_internal/hooks.py
+++ b/certbot/certbot/_internal/hooks.py
@ -166,7 +166,7 @@ def deploy_hook(config: configuration.NamespaceConfig, domains: List[str],
    """
    if config.deploy_hook:
        _run_deploy_hook(config.deploy_hook, domains,
-                         lineage_path, config.dry_run)
+                         lineage_path, config.dry_run, config.run_deploy_hook)


 def renew_hook(config: configuration.NamespaceConfig, domains: List[str],
@ -190,7 +190,7 @@ def renew_hook(config: configuration.NamespaceConfig, domains: List[str],
    executed_dir_hooks = set()
    if config.directory_hooks:
        for hook in list_hooks(config.renewal_deploy_hooks_dir):
-            _run_deploy_hook(hook, domains, lineage_path, config.dry_run)
+            _run_deploy_hook(hook, domains, lineage_path, config.dry_run, config.run_deploy_hook)
            executed_dir_hooks.add(hook)

    if config.renew_hook:
@ -199,10 +199,11 @@ def renew_hook(config: configuration.NamespaceConfig, domains: List[str],
                        config.renew_hook)
        else:
            _run_deploy_hook(config.renew_hook, domains,
-                             lineage_path, config.dry_run)
+                             lineage_path, config.dry_run, config.run_deploy_hook)


-def _run_deploy_hook(command: str, domains: List[str], lineage_path: str, dry_run: bool) -> None:
+def _run_deploy_hook(command: str, domains: List[str], lineage_path: str, dry_run: bool,
+                     run_deploy_hook: bool) -> None:
    """Run the specified deploy-hook (if not doing a dry run).

    If dry_run is True, command is not run and a message is logged
@ -214,9 +215,10 @@ def _run_deploy_hook(command: str, domains: List[str], lineage_path: str, dry_ru
    :type domains: `list` of `str`
    :param str lineage_path: live directory path for the new cert
    :param bool dry_run: True iff Certbot is doing a dry run
+    :param bool run_deploy_hook: True if deploy hook should run despite Certbot doing a dry run

    """
-    if dry_run:
+    if dry_run and not run_deploy_hook:
        logger.info("Dry run: skipping deploy hook command: %s",
                       command)
        return
--- a/certbot/certbot/_internal/main.py
+++ b/certbot/certbot/_internal/main.py
@ -1737,6 +1737,14 @@ def reconfigure(config: configuration.NamespaceConfig,
        raise errors.ConfigurationError(f"An existing certificate with name {certname} could not "
            "be found. Run `certbot certificates` to list available certificates.")

+    # figure this out before we modify config
+    if config.deploy_hook and not config.run_deploy_hook:
+        msg = "You are attempting to set a new deploy hook. Would you like Certbot to run the new "
+              "hook when it performs a dry run with the new settings? This will run all relevant "
+              "deploy hooks, including directory hooks, unless --no-directory-hooks is set."
+        config.run_deploy_hook = display_util.yesno(msg,"Run deploy hook",
+            "Do not run deploy hook", default=False)
+
    # cache previous version for later comparison
    try:
        orig_renewal_conf = configobj.ConfigObj(
@ -1764,10 +1772,6 @@ def reconfigure(config: configuration.NamespaceConfig,
    _get_and_save_cert(le_client, lineage_config, certname=certname,
        lineage=renewal_candidate)

-    domains = renewal_candidate.names()
-    lineage_config.dry_run = False
-    hooks.renew_hook(lineage_config, domains, renewal_candidate.live_dir)
-
    # this function will update lineage.configuration with the new values, and save it to disk
    renewal_candidate.save_new_config_values(lineage_config)