Certbot reconfigure example for a specific case

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: LeslieRego.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.56 (Unix)

The operating system my web server runs on is (include version): macOS Sonoma 14.1 (23B74)

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

I have several certificates that expire at the same time and I need to apply a hook to just one of the many certificates, IF and ONLY IF that specific certificate renews successfully.

I have been searching for a example of some sensible use of "certbot reconfigure" to change the renewal specs for a specific certificate (leaving all other renewals for all other certificates as they are) but I'm not sure how to invoke a specific hook to change just ONE of my many certificates, to run a specific shell script.

Perhaps the differences between these two options are obvious to everyone else, but I can't quite figure the differences out:

--run-deploy-hooks

--deploy-hook DEPLOY_HOOK

I believe something like this might make some sense, but I'm not sure:

certbot reconfigure --cert-name example.com --deploy-hook /usr/local/alfredo/specificScript.sh

Any suggestions?

Thanks very much.

Alfredo

That command make sense [to me too].
I would review the changes to the renewal config file.
[compare the before and the after config changes made by running that command]

The --deploy-hook runs for each issued cert even from the renew command.

By default, the --deploy-hook does not run when testing renew using --dry-run like:

certbot renew --dry-run --cert-name example.com

You can force that hook to run during dry-run test with --run-deploy-hooks. See the "testing:" section in the docs
https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options

Thanks to everyone's help, I solved my challenge with a slightly modified version of the advice by mivk in:

https://stackoverflow.com/questions/48078083/lets-encrypt-ssl-couldnt-start-by-error-eacces-permission-denied-open-et/54903098

Created shell script file here:

/usr/local/alfredo/specificScript.sh

with these two commands:

cp /etc/letsencrypt/live/example.com/{fullchain,privkey}.pem ~/Documents/certs_to_copy_from_letsencrypt/

chown alfredo ~/Documents/certs_to_copy_from_letsencrypt/*.pem

Made it executable:

chmod +x /usr/local/alfredo/specificScript.sh

Issued the certbot command in question:

sudo certbot reconfigure --cert-name example.com --deploy-hook /usr/local/alfredo/specificScript.sh

Success.

It was great to see that certbot nicely included this line in the renewal conf file:

renew_hook = /usr/local/alfredo/specificScript.sh

All the other renewal conf files for the other certificates were not touched.

This is, precisely, why I did NOT want to use --run-deploy-hooks (which applies ALL the hooks in the deploy directory to ALL the renewed certificates)

I needed finer granularity than that.

This worked perfectly for my case.

Certbot's feedback was very useful:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are attempting to set a --deploy-hook. Would you like Certbot to run deploy
hooks when it performs a dry run with the new settings? This will run all
relevant deploy hooks, including directory hooks, unless --no-directory-hooks is
set. This will use the current active certificate, and not the temporary test
certificate acquired during the dry run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)un deploy hooks/(D)o not run deploy hooks: d
Simulating renewal of an existing certificate for example.com and 5 more domains

Successfully updated configuration.
Changes will apply when the certificate renews.

¡Mil gracias!

Alfredo

I am glad you got the reconfigure command working.

But, I don't think you understand what --run-deploy-hooks does. It only controls what happens with any already defined deploy hooks when running Certbot in test mode (like --dry-run).

But, yes, if you place a hook script in the deploy hooks folder rather than configuring it for a specific cert like you did then that hook script will run for each cert. The hook folder is useful when you want the same hook for each cert. In your case that would be the wrong choice. That is not related to the --run-deploy-hooks option though.

Please see the link to the docs I provided earlier if you want to understand those options in more detail.

Thanks very much for the clarification, @MikeMcQ.

It all makes sense now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.