LetsEncrypt certbot multiple renew-hooks

Yes you can use multiple --renew-hook statements. also use the -q flag so it emails you a blank notification until a renewal actually does occur. It also does not restart any of your services until a renewal occurs. This also attaches the log file to the email if you so desire.

I have a cron that runs a bash daily.

Inside my bash (certbotrenew.sh) is simply this

#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service postfix reload" --renew-hook "service dovecot restart" --renew-hook "service apache2 reload" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" [email protected]  < /var/log/certbot-renew.log
exit 0

and my cron is

00 20 * * 1 /bin/certbotrenew.sh

Some people question why I send an email regardless of if nothing happened, I just always like to know my daily crons are running.


Not sure if that's for newer versions only or not, but hope someone will find it useful. When you have at least 1 domain added, certbot will create "renewal-hooks" dir with 3 subdirs "deploy", "post", "pre".

If you will put any script into "post" folder, that will be executed after renewal automatically. Don't forget to make it executable by adding +x to the script.

I'm using just one "001-restart-nginx.sh" with the following content:

#!/bin/bash
echo "ssl certs updated" && service nginx restart

/etc/letsencrypt/renewal-hooks/post/001-restart-nginx.sh

This way you don't have to manually supply --post-hook params with certain instructions at all.

On actual renewal process you will see something like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/<your-domain-name>/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/001-restart-nginx.sh
Output from post-hook command 001-restart-nginx.sh:
ssl certs updated

You can also set hooks (and others options if you like) as global options in the file /etc/letsencrypt/cli.ini (see documentation) like this:

# Global config for letsencrypt runs
#
# Note that these options apply automatically to all use of Certbot for
# obtaining or renewing certificates, so options specific to a single
# certificate on a system with several certificates should not be placed
# here.

renew-hook = service postfix reload
post-hook = service nginx reload

You must create the file first on most systems. Letsencrypt comes without.

You can also create certificate specific version in every renewal folder if you don't like to go global.


From what I saw from the fresh installation in Ubuntu 16.04 of CertBot, it creates a cron job:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates haven't been revoked, etc.  Renewal will only occur if expiration is within
# 30 days.
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --pre-hook 
'/bin/run-parts /etc/letsencrypt/pre-hook.d/' --post-hook '/bin/run-parts /etc/letsencrypt/post-hook.d/' --renew-hook '/bin/run-parts
/etc/letsencrypt/renew-hook.d/'

So it executes run-parts on many directories, including /etc/letsencrypt/renew-hook.d/

You just need to add an executable file in any of those hook directories (pick the one you need).

As an example, in my renew-hook.d I created a file restart-nginx with the following content:

#!/bin/bash
/etc/init.d/nginx restart

As a note: You can know what files will be called by run-parts using the --test option. (Example run-parts --test /etc/letsencrypt/renew-hook.d/

Tags:

Lets Encrypt