Certbot renewal failed after trying multiple options

Sure, the best practice is not to move but to copy the files to wherever you need them. If you write a .sh script to do this and any other tasks that are necessary after renewing the certificate (e.g. restarting the container application), you can use certbot's --deploy-hook option to run that script automatically after each renewal. Example:

certbot renew --force-renewal --cert-name api.xx.xx --deploy-hook /path/to/your/script.sh

(Important: you only need to do this once - once it's done, certbot will update the /etc/letsencrypt/renewal/api.xx.xx.conf file with the new options and run your script automatically next time. Do not add these additional options, especially --force-renewal, to any cron jobs or systemd timers.)

Alternatively, if you want to avoid an unnecessary early renewal and you're comfortable editing certbot's config files manually, you can add the option directly to /etc/letsencrypt/renewal/api.xx.xx.conf yourself instead - in the [renewalparams] section:

renew_hook = /path/to/your/script.sh


Actually, in the conf file it is spelled different than on command line:

renew_hook = /path/to/your/script.sh

Oops! Corrected, thanks.