Update dependency go to v1.24.5

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [certbot](https://github.com/certbot/certbot) | major | `==3.3.0` -> `==4.0.0` |
| [certbot-dns-cloudflare](https://github.com/certbot/certbot) | major | `==3.3.0` -> `==4.0.0` |

---

### Release Notes

<details>
<summary>certbot/certbot (certbot)</summary>

### [`v4.0.0`](https://github.com/certbot/certbot/releases/tag/v4.0.0): Certbot 4.0.0

[Compare Source](https://github.com/certbot/certbot/compare/v3.3.0...v4.0.0)

##### Added

-   The --preferred-profile and --required-profile flags allow requesting a profile.
    https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/

##### Changed

-   Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime left,
    if the lifetime is shorter than 10 days). This is a change from a hardcoded
    renewal at 30 days before expiration. The config field renew_before_expiry
    still overrides this default.

-   removed `acme.crypto_util._pyopenssl_cert_or_req_all_names`

-   removed `acme.crypto_util._pyopenssl_cert_or_req_san`

-   removed `acme.crypto_util.dump_pyopenssl_chain`

-   removed `acme.crypto_util.gen_ss_cert`

-   removed `certbot.crypto_util.dump_pyopenssl_chain`

-   removed `certbot.crypto_util.pyopenssl_load_certificate`

##### Fixed

-   Moved `RewriteEngine on` directive added during apache http01 authentication
    to the end of the virtual host, so that it overwrites any `RewriteEngine off`
    directives that already exist and allows redirection to the challenge URL.

More details about these changes can be found on our GitHub repo.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTIuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI1Mi4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: #52
Co-authored-by: Renovate Bot <renovate@mrmeeb.stream>
Co-committed-by: Renovate Bot <renovate@mrmeeb.stream>

.gitea/workflows/build-develop.yaml

@@ -1,88 +0,0 @@
-name: Build Image
-on:
-  push:
-    branches:
-      - 'develop'
-
-env:
-  TEST_TAG: mrmeeb/certbot-cron:test
-  FULL_TAG: git.mrmeeb.stream/mrmeeb/certbot-cron:develop
-
-jobs:
-  "Validate Image":
-    runs-on: [ubuntu-docker-latest, linux/amd64]
-    steps:
-      - name: Build locally
-        uses: docker/build-push-action@v5
-        with:
-          load: true
-          tags: ${{ env.TEST_TAG }}
-          provenance: false
-      - name: Test certificate issuing
-        id: test
-        run: |
-          # First create a volume
-          docker volume create ${{ gitea.sha }} && \
-          # Then issue a certificate
-          docker run --rm -v ${{ gitea.sha }}:/config -e STAGING=true -e EMAIL=${{ secrets.EMAIL }} -e DOMAINS=${{ gitea.sha }}.mrmeeb.stream -e PLUGIN=cloudflare -e CLOUDFLARE_TOKEN=${{ secrets.CLOUDFLARE_TOKEN }} -e ONE_SHOT=true -e GENERATE_DHPARAM=false ${{ env.TEST_TAG }} && \
-          # Then revoke it again
-          docker run --rm --entrypoint "/usr/bin/certbot" -v ${{ gitea.sha }}:/config ${{ env.TEST_TAG }} revoke --non-interactive --agree-tos --email ${{ secrets.EMAIL }} --staging --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --cert-path /config/letsencrypt/live/${{ gitea.sha }}.mrmeeb.stream/fullchain.pem          
-      - name: Tidy up
-        if: always()
-        run: |
-          echo "Removing docker volume ${{ gitea.sha }}" && \
-          docker volume rm ${{ gitea.sha }}          
-      - name: Test Failure
-        uses: rjstone/discord-webhook-notify@v1
-        if: failure()
-        with:
-          severity: error
-          details: Test Failed!
-          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
-          username: Gitea
-          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
-  
-  "Publish Image":
-    runs-on: [ubuntu-docker-latest, linux/amd64]
-    needs: ["Validate Image"]
-    steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to Gitea Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.mrmeeb.stream
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ secrets.GTCR_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ env.FULL_TAG }}
-          provenance: false
-      - name: Build Failure
-        uses: rjstone/discord-webhook-notify@v1
-        if: failure()
-        with:
-          severity: error
-          details: Build Failed!
-          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
-          username: Gitea
-          avatarUrl: ${{ vars.RUNNER_ICON_URL }}
-
-  "Notify":
-    runs-on: [ubuntu-docker-latest, linux/amd64]
-    needs: ["Validate Image", "Publish Image"]
-    steps:
-      - name: Notify of success
-        uses: rjstone/discord-webhook-notify@v1
-        if: success()
-        with:
-          severity: info
-          details: Build succeeded!
-          webhookUrl: ${{ secrets.DISCORD_WEBHOOK }}
-          username: Gitea
-          avatarUrl: ${{ vars.RUNNER_ICON_URL }}

.gitea/workflows/build-main.yaml

@@ -2,7 +2,7 @@ name: Build Image
 on:
   push:
     branches:
-      - 'main'
+      - 'master'
 
 env:
   TEST_TAG: mrmeeb/certbot-cron:test
@@ -12,9 +12,12 @@ jobs:
   "Validate Image":
     runs-on: [ubuntu-docker-latest, linux/amd64]
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Build locally
         uses: docker/build-push-action@v5
         with:
+          context: .
           load: true
           tags: ${{ env.TEST_TAG }}
           provenance: false

.gitea/workflows/build-tagged-release.yaml

@@ -55,7 +55,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with: 
-          go-version: 1.22.2
+          go-version: 1.24.5
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:

.gitea/workflows/test-pr.yaml

@@ -2,7 +2,7 @@ name: Test Pull Request
 on:
   pull_request:
     branches:
-      - 'main'
+      - 'master'
       - 'develop'
 
 env:

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19.1 as base
+FROM alpine:3.22.0 AS base
 ARG TARGETARCH
 
 FROM base AS base-amd64
@@ -9,7 +9,7 @@ ENV S6_OVERLAY_ARCH=aarch64
 
 FROM base-${TARGETARCH}${TARGETVARIANT}
 
-ARG S6_OVERLAY_VERSION="3.1.6.2"
+ARG S6_OVERLAY_VERSION="3.2.1.0"
 
 # Core variables
 ENV PUID=1000
@@ -18,6 +18,9 @@ ENV TZ=UTC
 ENV GENERATE_DHPARAM=true
 ENV INTERVAL="0 */6 * * *"
 ENV ONE_SHOT=false
+ENV APPRISE_URL=
+ENV NOTIFY_ON_FAILURE=false
+ENV NOTIFY_ON_SUCCESS=false
 
 # Single domain
 ENV DOMAINS=
@@ -37,7 +40,7 @@ ENV CLOUDFLARE_TOKEN=
 ENV CERT_COUNT=1
 
 #Get required packages
-RUN apk update && apk add curl bash python3 py3-virtualenv procps tzdata nano shadow xz busybox-suid openssl
+RUN apk update && apk add curl bash python3 py3-virtualenv procps tzdata nano shadow xz busybox-suid openssl logrotate
 
 #Make folders
 RUN mkdir /config && \
@@ -59,18 +62,16 @@ RUN python3 -m venv /app/certbot/ && /app/certbot/bin/pip install --upgrade pip
 #Added additional pip steps to fix cython 3.0.0 issue - https://github.com/yaml/pyyaml/issues/601
 COPY requirements.txt /app/certbot/requirements.txt
 RUN apk add --no-cache --virtual .deps gcc python3-dev libc-dev libffi-dev && \
-    /app/certbot/bin/pip install wheel && \
+    /app/certbot/bin/pip install wheel setuptools && \
     /app/certbot/bin/pip install "Cython<3.0" pyyaml --no-build-isolation && \
     /app/certbot/bin/pip install -r /app/certbot/requirements.txt && \
-    ln -s /app/certbot/bin/certbot /usr/bin/certbot &&\
+    ln -s /app/certbot/bin/certbot /usr/bin/certbot && \
+    ln -s /app/certbot/bin/apprise /usr/bin/apprise && \
     apk del .deps
 
 COPY root /
 
-RUN chmod +x /container-init.sh && \
-    chmod +x /certbot-prepare.sh && \
-    chmod +x /certbot-renew.sh && \
-    chmod +x /check-one-shot.sh && \
+RUN chmod +x /container-init.sh /certbot-prepare.sh /check-one-shot.sh /renew-function.sh && \
     chown -R ${PUID}:${PGID} /app /config
 
 ENTRYPOINT [ "/init" ]

README.md

@@ -4,10 +4,9 @@ Dockerised Certbot that utilises cron to schedule creating and renewing SSL cert
 
 ## Tags
 
-|Tag    |Description|
-|-------|-----------|
-|latest |Latest image built from the main branch. Usually coincides with a tagged release.|
-|develop|Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of `develop` are removed after 14 days.|
+I use the [Feature Branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow) workflow. The `latest` tag contains all of the latest changes that have been merged from individual feature branches. Feature branches are squashed into `master`.
+
+Pinned releases are created by creating a tag off `master` to capture the repo in a particular state. They are recommended for stability.
 
 ## Running
 
@@ -54,6 +53,9 @@ Core options to the container
 | GENERATE_DHPARAM | true (case-sensitive) | Generate Diffie-Hellman keys in /config/letsencrypt/keys |
 | INTERVAL | 0 */6 * * * | How often certbot attempts to renew the certificate. Cron syntax |
 | CERT_COUNT | 1 | How many certificates certbot will try to issue. [Details here](https://git.mrmeeb.stream/MrMeeb/certbot-cron-docker#multiple-certificates) |
+| APPRISE_URL | None | URL for Apprise notifications. [Syntax](https://github.com/caronc/apprise?tab=readme-ov-file#supported-notifications)
+| NOTIFY_ON_SUCCESS | false | Notify on a successful renewal attempt. Note that this isn't just when the cert is renewed, but on every renewal attempt. |
+| NOTIFY_ON_FAILURE | false | Notify on a failed renewal attempt.
 
 ### Certificate Options
 

renovate.json

@@ -4,6 +4,7 @@
     "major": {
         "dependencyDashboardApproval": true
     },
+    "minimumReleaseAge": "7 days",
     "customManagers": [
         {
         "customType": "regex",

requirements.txt

@@ -1,4 +1,5 @@
-# For pinning Certbot packages to then be parsed by Renovate
+# For pinning Python packages to then be parsed by Renovate
 
-certbot ==2.10.0
-certbot-dns-cloudflare ==2.10.0
+certbot ==4.1.1
+certbot-dns-cloudflare ==4.1.1
+apprise ==1.9.3

root/certbot-prepare.sh

@@ -46,9 +46,22 @@ function better_exit {
 
 }
 
+# Check APPRISE_URL is set if either NOTIFY_ON_SUCCESS or NOTIFY_ON_FAILURE are set
+if [ "${NOTIFY_ON_SUCCESS}" = "true" ] || [ "${NOTIFY_ON_FAILURE}" = "true" ] && [ -z "${APPRISE_URL}" ]; then
+
+    echo "You have notifications enabled but have not set APPRISE_URL. Please set APPRISE_URL and restart the container."
+    better_exit
+
+fi
+
 # Cleanup renew list and create it fresh, ready for commands to be run and added
-echo "#!/command/with-contenv bash" > /config/.renew-list.sh
-echo "" >> /config/.renew-list.sh
+echo "#!/command/with-contenv bash
+
+date
+echo \"Attempting to renew certificates\"
+source /renew-function.sh
+" > /config/.renew-list.sh
+chmod +x /config/.renew-list.sh
 
 # Create original config file to track changes to environmental variables
 if [ ! -f /config/.donoteditthisfile ]
@@ -306,14 +319,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -332,14 +345,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -358,14 +371,14 @@ function single_domain {
             echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         elif [ $STAGING = false ]
         then
             echo "Using production endpoint"
             REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
             # Add to renewal list
-            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+            echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
             echo "Creation/renewal attempt complete"
         else
             echo "Unrecognised option for STAGING variable - check your configuration"
@@ -631,7 +644,7 @@ echo \
                 ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
+                echo "renew \"${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -640,7 +653,7 @@ echo \
                 ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -661,7 +674,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -670,7 +683,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -691,7 +704,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             elif [ ${STAGING_MULTI} = false ]
@@ -700,7 +713,7 @@ echo \
                 REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
                 # Add to renewal list
                 echo "## Certificate ${x}" >> /config/.renew-list.sh
-                echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
+                echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
                 echo ""  >> /config/.renew-list.sh
                 echo "Creation/renewal attempt complete"
             else
@@ -754,6 +767,10 @@ else
     echo "CERT_COUNT varaible not recognised. It needs to be a value of 1 or greater."
 fi
 
+# Finish /config/.renew-list.sh now all certs have been added
+echo "
+echo \"Renewal attempts complete\"" >> /config/.renew-list.sh
+
 if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
 then
     echo ""
@@ -769,7 +786,8 @@ if [ $ONE_SHOT == "true" ]; then
 
 elif [ $ONE_SHOT == "false" ]; then
 
-    echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
+    echo "$INTERVAL /config/.renew-list.sh >> /config/logs/renew.log
+    0 0 * * * logrotate -v --state /config/logs/logrotate.status /logrotate.conf" > /config/.crontab.txt
 
     echo ""
 

root/certbot-renew.sh

@@ -1,6 +0,0 @@
-#!/command/with-contenv bash
-# shellcheck shell=bash
-echo ''
-date
-echo "Attempting to renew certificates"
-bash /config/.renew-list.sh

root/check-one-shot.sh

@@ -4,6 +4,7 @@
 if [ $ONE_SHOT == "true" ]; then
 
     # Cleanly kill container by sending kill signal to supervisor process
-    kill 1
+    echo 0 > /run/s6-linux-init-container-results/exitcode
+    /run/s6/basedir/bin/halt
 
 fi

root/container-init.sh

@@ -31,7 +31,13 @@ TZ=${TZ}
 ONE_SHOT=${ONE_SHOT}
 INTERVAL=${INTERVAL}
 GENERATE_DHPARAM=${GENERATE_DHPARAM}
-CERT_COUNT=${CERT_COUNT}"
+CERT_COUNT=${CERT_COUNT}
+NOTIFY_ON_SUCCESS=${NOTIFY_ON_SUCCESS}
+NOTIFY_ON_FAILURE=${NOTIFY_ON_FAILURE}"
+if [ ! -z ${APPRISE_URL} ]; then
+echo \
+"APPRISE_URL=[hidden]"
+fi
 ## Send extra detail to logs if single certificate config
 if [ ${CERT_COUNT} == 1 ]; then
 echo \

root/etc/s6-overlay/s6-rc.d/cron/finish

@@ -1 +1,9 @@
-echo "$e" > /run/s6-linux-init-container-results/exitcode
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+if [ $ONE_SHOT == "false" ]; then
+
+    # Export exit code if not a ONE_SHOT
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+
+fi

root/etc/s6-overlay/s6-rc.d/logs/finish

@@ -1 +1,9 @@
-echo "$e" > /run/s6-linux-init-container-results/exitcode
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+if [ $ONE_SHOT == "false" ]; then
+
+    # Export exit code if not a ONE_SHOT
+    echo "$e" > /run/s6-linux-init-container-results/exitcode
+
+fi

root/logrotate.conf

@@ -0,0 +1,15 @@
+missingok
+
+/config/logs/letsencrypt.log {
+    daily
+    rotate 10
+    postrotate
+        find /config/logs -type f -regex '.*letsencrypt\.log\.\(.[2-9]\|[2-9].\|[1-9][0-9]\{2,\}\).*' -delete
+    endscript
+}
+
+/config/logs/renew.log {
+    rotate 5
+    size 100k
+    compress
+}

root/renew-function.sh

@@ -0,0 +1,27 @@
+function renew() {
+
+    #Variables:
+
+    #$1 = Certbot command
+
+    RENEWAL_DOMAINS=$(echo $1 | sed -r 's/.*\s-d\s(\S*).*/\1/')
+    CUSTOM_CA_PATH=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\1/')
+    CERTBOT_COMMAND=$(echo $1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\2/')
+
+    echo "Renewing certificate for ${RENEWAL_DOMAINS}"
+
+    echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH} ${CERTBOT_COMMAND}" | bash
+
+    if [ $? = 0 ]; then
+        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} succeeded"
+        if [ "${NOTIFY_ON_SUCCESS}" = "true" ]; then
+            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} succeeded" ${APPRISE_URL}
+        fi
+    else
+        echo "Renewal attempt of certificate for ${RENEWAL_DOMAINS} failed"
+        if [ "${NOTIFY_ON_FAILURE}" = "true" ]; then
+            apprise -b "Renewal of certificate for ${RENEWAL_DOMAINS} failed" ${APPRISE_URL}
+        fi
+    fi
+
+}