pin cryptography

Dockerfile

@@ -131,7 +131,7 @@ RUN \
     certbot-dns-transip \
     certbot-dns-vultr \
     certbot-plugin-gandi \
-    cryptography \
+    cryptography==42.0.7 \
     future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \

Dockerfile.aarch64

@@ -131,7 +131,7 @@ RUN \
     certbot-dns-transip \
     certbot-dns-vultr \
     certbot-plugin-gandi \
-    cryptography \
+    cryptography==42.0.7 \
     future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \

root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default

@@ -1,7 +1,9 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
+# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
 
 cd /config/keys/letsencrypt || exit 1
+echo "**** Generating pfx and fullchain bundle certs ****"
 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
 sleep 1
 cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem

root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx

@@ -1,15 +1,18 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
+# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
 
 # shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
 if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
     if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
+        echo "**** Starting Nginx ****"
         s6-svc -u /run/service/svc-nginx
     fi
 else
     if pgrep -f "nginx:" >/dev/null; then
+        echo "**** Reloading Nginx to load the new cert ****"
         s6-svc -h /run/service/svc-nginx
     fi
 fi

root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx

@@ -1,11 +1,13 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
+# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
 
 # shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
 if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
     if pgrep -f "nginx:" >/dev/null; then
+        echo "**** Stopping Nginx in preparation of cert generation/renewal ****"
         s6-svc -d /run/service/svc-nginx
     fi
 fi

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -68,14 +68,9 @@ lsiown -R abc:abc /config/dns-conf
 
 # copy default renewal hooks
 chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
-cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
+cp -Rf /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
 
-# replace nginx service location in renewal hooks
-find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
-find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
-find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
-
 # create original config file if it doesn't exist, move non-hidden legacy file to hidden
 if [[ -f "/config/donoteditthisfile.conf" ]]; then
     mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf