Skip to content

fix: read API_TOKEN from database in certbot hooks#3296

Open
Upellift99 wants to merge 3 commits intobunkerity:devfrom
Upellift99:fix/certbot-hooks-api-token
Open

fix: read API_TOKEN from database in certbot hooks#3296
Upellift99 wants to merge 3 commits intobunkerity:devfrom
Upellift99:fix/certbot-hooks-api-token

Conversation

@Upellift99
Copy link

@Upellift99 Upellift99 commented Mar 9, 2026

Summary

  • Certbot sanitizes subprocess environment, stripping API_TOKEN from certbot hook scripts (certbot-auth.py, certbot-cleanup.py, certbot-deploy.py)
  • Hooks fail to authenticate with the BunkerWeb API, preventing certificate issuance/renewal
  • Fix: retrieve API_TOKEN from the database via db.get_non_default_settings() (already available through DATABASE_URI which certbot preserves) instead of relying on getenv("API_TOKEN")

Fixes #3295

Validation steps

  1. Deploy BunkerWeb with AUTO_LETS_ENCRYPT=yes on a service
  2. Trigger certificate issuance (add a new service or wait for renewal)
  3. Verify in scheduler logs that the certbot hooks successfully authenticate and the certificate is issued
  4. Verify that manual certbot renew also works correctly

Files changed

  • src/common/core/letsencrypt/jobs/certbot-auth.py
  • src/common/core/letsencrypt/jobs/certbot-cleanup.py
  • src/common/core/letsencrypt/jobs/certbot-deploy.py

🤖 Generated with Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheophileDiot TheophileDiot Awaiting requested review from TheophileDiot TheophileDiot is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Upellift99 @TheophileDiot