Can I use deployhook for certgeneration and certrenewal

Currently, I am testing certificate generation and renewal. If I use deploy hook for cert generation sometimes I am getting CERTBOT_DOMAIN variable as a domain name. Sometimes I am getting empty.

  1. Can I use deploy-hook for cert generation? If yes, Why I am not getting $CERTBOT_DOMAIN value sometimes. If no, What is the hook that I can use after successful cert generation?

BTW, One more thing I Identified, Sometimes --deploy-hook is getting called and sometimes not. What is the issue???

Hi @sandeep.machiraju

your setup is unclear. So it's unclear why there are differences.

Why not.


to see the possible parameters.

If you use --dry-run, --deploy-hook isn't called.


Thanks for the reply.

I am having two hooks:
manual-auth-hook to add txt record in dns provider (I am using godaddy).
deploy-hook to apply the generated certs to my actual web application(resides in different place) and also convert to different formats (ex. pfx)

In that deploy-hook i am using $CERTBOT_DOMAIN variable to get the domain name and use that for convertion/applying. Sometimes I am getting empty value into that $CERTBOT_DOMAIN variable. And also sometimes that deploy-hook is not even getting called. I logged enter and exit of the deploy hook. It’s not getting logged sometimes. That’s how I got to know there are two issues: One is not getting called and another is getting null value into $CERTBOT_DOMAIN variable.

You can’t use $CERTBOT_DOMAIN in a deploy hook because the thing that’s being deployed is not a domain but a certificate - which might cover several domains. The list of domains is in the $RENEWED_DOMAINS variable, separated by spaces if there’s more than one.

The filenames are $RENEWED_LINEAGE/fullchain.pem, $RENEWED_LINEAGE/privkey.pem etc.

(This is all documented in more detail on the link @JuergenAuer posted above).

1 Like

Thanks for your reply. I appreciate. BTW I am using $RENEWED_DOMAINS which has a list of domains (In my case it is one domain). I am looping through the $RENEWED_DOMAINS variable and doing my applying/conversion stuff. What exactly will $RENEWED_LINEAGE provide me in that loop? Is it /etc/letsencrypt//live/.pem ( means all cert files) path as a value?

BTW, is there any way to test --deploy-hook in --dry-run (staging environment)? Because I am using a script, I want to test end to end?

Thanks for the reply. I appreciate it.

The full path to the directory containing the symlinks to the latest pem files. That is, $RENEWED_LINEAGE gives you the directory e.g. /etc/letsencrypt/live/ and you have to add /fullchain.pem or /privkey.pem etc to get the file you want.

Not with --dry-run because that doesn't save a certificate, which the deploy hook needs. You can use --staging instead - but beware that you might end up accidentally installing invalid certificates from the staging environment on your live site.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.