Certbot renewal clearing renewalparams?

I’m trying to renew my certificate automatically using cron.d. The goal is to reload nginx after the certificate has been renewed. Renewal works just fine both with dry-run and without it. I also had post_hook = systemctl reload nginx in /etc/letsencrypt/renewal/example.com.conf under [renewalparams] section (site name changed).

The problem: nginx does not reload at all after renewal. In addition to that: after either the dry-run or the actual renewal, the post_hook row has been removed.

Have I misunderstood the purpose of [renewalparams]? Should I be able to define the post_hook there? Why does it get erased by certbot?

I’m running this on Ubuntu Server 16.10. Certbot version 0.8.1-2.

Hi @Paapaa,

Is your renewal command certbot renew, or did you try to renew with some form of certbot certonly?

can/should this be updated?

The actual command in cron.d was test -x /usr/bin/certbot && certbot -q renew.

I think @rg305’s point might be the key to the mystery: part of the renewal process involves removing “irrelevant” renewal parameters, which includes unrecognized ones, which in turn makes renewal configuration files not backwards-compatible in some cases (because using newer options than Certbot recognizes means that those options will be discarded).

At the time of that release, post_hook was not on the whitelist:

By contrast, it is now:

So, probably this version of Certbot doesn’t know to save this configuration option, while a newer version would know to do so. (Good catch, @rg305!)


Is there a reason Ubuntu (Server) 16.10 ships with so old version? Or have I done something that prevents apt from updating to a newer one? Can I check this somehow?

I’m not sure! We do also have an autoupdating version that works outside of an OS package manager, called certbot-auto.

The bit down below there about using --webroot and so on is not applicable; it’s just because I linked to the part of the documentation that refers to minimally supported OS environments.

Fixed this by adding the certbot PPA. Now it provides a recent (0.14.2-1…) version of certbot and I guess things will go smooth next time the certificate needs to be renewed.

Great! Sorry about the trouble.

I haven’t been involved in downstream packaging conversations but I think a challenge overall is that Certbot has changed rather rapidly, sometimes in slightly backwards-incompatible ways, and fixed pretty large bugs in the course of just a year or so. The rate of change and instability has probably been faster than some of the distributions want for a long-term stable OS release, but at the same time there’s a lot of demand for an official Certbot package, because having an official way to get Let’s Encrypt certificates is quite useful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.