Sure, the best practice is not to move but to copy the files to wherever you need them. If you write a .sh script to do this and any other tasks that are necessary after renewing the certificate (e.g. restarting the container application), you can use certbot's --deploy-hook
option to run that script automatically after each renewal. Example:
certbot renew --force-renewal --cert-name api.xx.xx --deploy-hook /path/to/your/script.sh
(Important: you only need to do this once - once it's done, certbot will update the /etc/letsencrypt/renewal/api.xx.xx.conf
file with the new options and run your script automatically next time. Do not add these additional options, especially --force-renewal
, to any cron jobs or systemd timers.)
Alternatively, if you want to avoid an unnecessary early renewal and you're comfortable editing certbot's config files manually, you can add the option directly to /etc/letsencrypt/renewal/api.xx.xx.conf
yourself instead - in the [renewalparams]
section:
renew_hook = /path/to/your/script.sh