Certbot pre and post hooks


I’m a little bit confused about Certbot pre and post hooks. The documentation says that the “–pre-hook” and “–post-hook” run before and after every renewal attempt so as far as I understood that they both should run even when certificates aren’t due for renewal, am I wrong?

When I run

cerbot renew --dry-run --pre-hook /path/to/script.sh

or even
certboot renew --pre-hook /path/to/script.sh

I get “No hooks were run.”

What I would like to do is that I would like to run a script even if the certificate isn’t due.

Could you please help?

In this case "renewal attempt" refers to an occasion when Certbot tries to renew a certificate, not when it's run to consider whether or not to do so. (An "attempt" is called that because it could fail. :slight_smile:)

The main reason for this choice of behavior is probably that the most common use of these hooks is to start and stop web servers (for use with the standalone authenticator) or to restart a web server after the certificate has been updated. These behaviors would cause unnecessary downtime of services if they happened twice a day every day.

Maybe you could wrap the certbot renew call in your own shell script and then have that script run from cron or systemd instead of certbot renew? It could be as simple as


certbot renew

@schoen Thanks a lot for the informative reply! Now, it’s clear.

I agree with you on the definition of “attempt” and that is exactly why I was confused. When it’s written that pre and post hooks run before and after a renewal attempt and we know an attempt could fail, it means they should run even if the certificates don’t need to be renewed. I think it should be as clear as the deploy-hook explanation in the documentation.

Yes, a wrapper in this case is the solution.

Keep up the good work guys!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.