certbot 5.5.0 Ubuntu 22.04
I need to add a functionality to my otherwise working certbot installation.
I'm not sure against what server it is running but in the certbot logfile I'm seeing traces of nginx. I ran a certbot renew --dry-run successfully right before.
For my mailserver I need to run a shell script that does some processing of the certificates and installs them into the mailserver environment. It's not as easy as letting some paths in a configuration file point to the pem files in /etc/letsencrypt/live/mydomain.
Rather the privkey has to be converted to a different format and then has to be injected with the other certificates together through a CLI-dialog with the Mailserver. This is done in a separate shell script.
So how to I get certbot invoke this script right after the moment it has fetched the renewed certificates?
I have something like "deploy-hook" in mind, but where to I specify this?
That's the right hook for this.
There are options but I would add that to Certbot's certificate renewal config file. The easiest way is with the reconfigure command as we do not recommend modifying the config file by hand.
See: sudo certbot help reconfigure
I also suggest using an absolute path to ensure the renew environ finds it.
OK. I find
--deploy-hook DEPLOY_HOOK
Is DEPLOY-HOOK a path to the shell script? Or is it an entry in a configuration file?
I tried with a /path/to/shell/script and I got a dialog. I have 114 domains. Got an error message, that only 100 were allowed.
I confined myself to the one it actually it is about. certbot started and got me a certificate which is not what I wanted. Probably it overwrote the existing one. Ah no, it created a new directory /etc/letsencrypt/live/mydomain-001
And I saw my script already being executed. Also not what I wanted. I thought I'd just tell certbot which action to be called when the next update has to occur.
Hmm.
I compared the newly installed conf-file with the old one and the only differences
seemed to be the lines
key_type = ecdsa
renew_hook = /path/to/my/script
while the old one only had
key_type=rsa
So would it be sufficient to add a line
renew_hook = /path/to/my/script
?
P.S. I found that I forgot the reconfigure command which lead to the creation of a new configuration.
P.P.S. the reconfigure command worked fine. And it did exactly the editing the the existing .conf file that I assumed in the above.
certbot reconfigure --deploy-hook /path/to/my/script
To reconfigure just one certificate config you can
certbot reconfigure --cert-name X --deploy-hook /path/to/my/script
Where X is the name of the Certbot certificate as shown by
certbot certificates
If you re-read the instructions shown by certbot help reconfigure it may be clearer to you now 