Hi, I use certbot -q renew in a cron job to renew expiring certificates whilst only producing output on renewal failures.
I would additionally like to have some output after each successful certificate renewal, without producing output when no certificate renewal is necessary.
Is this possible?
Yes.
Remove the "-q" which means "quiet".
Try that for a bit.
If you aren't getting enough output (unlikely) from that change, then add even more output with:
-v
-vv
-vvv
[add "v" until you see the amount of output that satisfies your need]
I do not want any output in the event that the certificate does not require renewal.
Unfortunately, no, I don't think so..
Currently (although I have no idea if this will change in the future), the output options for certbot are very limited. It's nothing, standard output or verbose. There are no options in between as far as I know.
You could use grep to filter out everything except errors and successful renewals, but it's a poor workaround I think.
Maybe you could file an issue as feature request on the certbot issues page on Github?
Can you do something like keep certbot in quiet mode, but run a deploy-hook that has the notification you want when a new certificate is created?
Wow! I totally got your request backwards.
Thanks, that is probably the best solution for now. I will also file a feature request as suggested.
Beyond "quiet" mode = "stealth" mode!
Nah, not really Rudy. I think the idea here is quiet, but not that quiet..
If it's as simple as adding
--deploy-hook 'echo Certificate issued for $RENEWED_DOMAINS'
Then I don't know how highly they'd prioritize a feature request to add that for you. I haven't tried it, though, I don't know if it's actually that simple or if you need to actually make a deploy hook script file. (I haven't really played with certbot all that much myself.) Can't hurt to ask, though, I suppose. 
Hmm, if it's louder than quiet mode, maybe call it whispering mode? Or mumbling mode? Just-trying-to-not-get-heard-by-the-teacher mode?
Only speak when you are spoken to mode - LOL
Then query certbot (at your convenience)...
Hey certbot what have you been up to lately?
[and it can tell you all that has been done since your last "conversation" - (queued and waiting for you)]
Probably not all that highly if I'm the only person to have considered a flag for this level of verboseness useful!
If they decide it's useful, it's probably not going to be implemented until the sea level has risen a few meters, even if a full PR was filed. Personally, I'm not going to put in any effort into certbot any longer to be honest.
I wished for the same thing but did not bother with a request. There are various work-arounds such as something like petercooperjr described. You could also write your own script to analyze the cert files once/day and let you know when they are fresh. Or, even parse the x509 details to assess the dates (rather than file dates). Or, write a program to control the certbot command and its output (various options). I did the latter but later migrated away from certbot for other reasons so am glad I did not make the request after all
If I understand right: you would find renewal success output useful, when running Certbot through a cronjob.
Is this because you'd like to receive emails when renewals occur, or something else?
Renewal hooks are useful because:
With changing certbot renew -q to report successes and not failures, it might be possible to change --quiet to allow it to be combined with leveled logging (-vvv) and then to tweak the renewal summary output to also show successes with e.g. certbot renew -q -vv. I'm not sure whether it's overall worth it though, ~depending on what benefit you are looking to gain from this.
Thanks for your reply, and yes, that's right. It is also true that I can do what I want via renewal hooks.
I suppose therefore it is more a (potentially) useful shorthand flag for people wanting some cron output for renewals without having to explicitly specify a renewal hook.
I opened a bug report for this if this is desirable, however I have no pressing need for this now I have a renewal hook in place.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.