I’m trying to renew my certificate automatically using cron.d. The goal is to reload nginx after the certificate has been renewed. Renewal works just fine both with dry-run and without it. I also had post_hook = systemctl reload nginx in /etc/letsencrypt/renewal/example.com.conf under [renewalparams] section (site name changed).
The problem: nginx does not reload at all after renewal. In addition to that: after either the dry-run or the actual renewal, the post_hook row has been removed.
Have I misunderstood the purpose of [renewalparams]? Should I be able to define the post_hook there? Why does it get erased by certbot?
I’m running this on Ubuntu Server 16.10. Certbot version 0.8.1-2.
I think @rg305’s point might be the key to the mystery: part of the renewal process involves removing “irrelevant” renewal parameters, which includes unrecognized ones, which in turn makes renewal configuration files not backwards-compatible in some cases (because using newer options than Certbot recognizes means that those options will be discarded).
At the time of that release, post_hook was not on the whitelist:
By contrast, it is now:
So, probably this version of Certbot doesn’t know to save this configuration option, while a newer version would know to do so. (Good catch, @rg305!)
I haven’t been involved in downstream packaging conversations but I think a challenge overall is that Certbot has changed rather rapidly, sometimes in slightly backwards-incompatible ways, and fixed pretty large bugs in the course of just a year or so. The rate of change and instability has probably been faster than some of the distributions want for a long-term stable OS release, but at the same time there’s a lot of demand for an official Certbot package, because having an official way to get Let’s Encrypt certificates is quite useful.