OK. I successfully called a hook script like this
/usr/local/sbin/certbot-auto renew --renew-hook “bash /root/bin/certbot_hook.sh” > /var/log/certbot.log
not sure that “bash …” is necessary.
and the hook script is like this:
ls -Art $BASE_CERTS_DIR/$RENEWED_DOMAINS/cert* | tail -n 1
ls -Art $BASE_CERTS_DIR/$RENEWED_DOMAINS/privkey* | tail -n 1
bash /usr/local/sbin/ssl.sh renew $RENEWED_DOMAINS $CERTFILE $KEYFILE
echo $RENEWED_DOMAINS “$DATE” >> /var/log/renew.log
ssl.sh is a homemade script who uses aws cli to update ELB certificates. I figured that I might use env variable to get certificate path … ok I’ll update that later, thanks for your helps. hope this can help someone else.