Hi, I use certbot -q renew in a cron job to renew expiring certificates whilst only producing output on renewal failures.
I would additionally like to have some output after each successful certificate renewal, without producing output when no certificate renewal is necessary.
Yes. Remove the "-q" which means "quiet". Try that for a bit. If you aren't getting enough output (unlikely) from that change, then add even more output with: -v -vv -vvv [add "v" until you see the amount of output that satisfies your need]
Currently (although I have no idea if this will change in the future), the output options for certbot are very limited. It's nothing, standard output or verbose. There are no options in between as far as I know.
You could use grep to filter out everything except errors and successful renewals, but it's a poor workaround I think.
--deploy-hook 'echo Certificate issued for $RENEWED_DOMAINS'
Then I don't know how highly they'd prioritize a feature request to add that for you. I haven't tried it, though, I don't know if it's actually that simple or if you need to actually make a deploy hook script file. (I haven't really played with certbot all that much myself.) Can't hurt to ask, though, I suppose.
Hmm, if it's louder than quiet mode, maybe call it whispering mode? Or mumbling mode? Just-trying-to-not-get-heard-by-the-teacher mode?
Then query certbot (at your convenience)...
Hey certbot what have you been up to lately?
[and it can tell you all that has been done since your last "conversation" - (queued and waiting for you)]
If they decide it's useful, it's probably not going to be implemented until the sea level has risen a few meters, even if a full PR was filed. Personally, I'm not going to put in any effort into certbot any longer to be honest.
I wished for the same thing but did not bother with a request. There are various work-arounds such as something like petercooperjr described. You could also write your own script to analyze the cert files once/day and let you know when they are fresh. Or, even parse the x509 details to assess the dates (rather than file dates). Or, write a program to control the certbot command and its output (various options). I did the latter but later migrated away from certbot for other reasons so am glad I did not make the request after all
you get more detailed information through environment variables.
they are portable in the sense that it doesn't matter whether you run Certbot via crond or a systemd timer or invoking it some other way.
With changing certbot renew -q to report successes and not failures, it might be possible to change --quiet to allow it to be combined with leveled logging (-vvv) and then to tweak the renewal summary output to also show successes with e.g. certbot renew -q -vv. I'm not sure whether it's overall worth it though, ~depending on what benefit you are looking to gain from this.
Thanks for your reply, and yes, that's right. It is also true that I can do what I want via renewal hooks.
I suppose therefore it is more a (potentially) useful shorthand flag for people wanting some cron output for renewals without having to explicitly specify a renewal hook.
I opened a bug report for this if this is desirable, however I have no pressing need for this now I have a renewal hook in place.