Oh, I missed that! Yes, I think the script's use of --deploy-hook
is appropriate.
@kali, the idea of the --deploy-hook
is that usually certbot renew
will not renew your certificate (because it will decide that your certificate has enough validity time left that it doesn't need to be renewed yet)—so --deploy-hook
provides a script that Certbot runs only in the minority of cases where the certificate was, in fact, renewed. Whatever actions need to be taken in that case can be specified there.
If you put something like service nginx reload
in the cron task, then nginx would be reloaded whenever the cron task runs, even if it was unnecessary because no certificate renewal took place.
The Certbot developers intended for certbot renew
to be run very often (twice per day is suggested!), because it doesn't attempt renewals until it's "necessary". That way you don't have to choose a time to schedule your renewal for; the renewal schedule is based on the current certificates' expiration time rather than on a schedule manually chosen by the user.