Certbot (systemd) - Is it possible to run a hook script every time certbot renews the ssl certificate?

Hello everyone, in previous versions, Certbot renewed the certificate through a CRON record, and it was possible to know exactly when the renewal would be executed, so we put the hook script to also be executed via CRON, a few minutes after the renewal execution. from Certbot.

However, now we install Certbot via snap manager and it seems that the certificate renewal is done through the systemd service created for it "/etc/systemd/system/snap.certbot.renew.service", right or am I mistaken?

What would be the best way for us to have Certbot run our hook script right after completing the auto-renewal tasks?

Note: This server only has a single domain.

Thanks! :slightly_smiling_face:

Informations:

The operating system my web server runs on is (include version): Debian 11.9 (amd64)
I can login to a root shell on my machine: yes
certbot version: 2.11.0

I think you're looking for certbot's --deploy-hook

https://eff-certbot.readthedocs.io/en/latest/using.html#renewing-certificates

Certbot should run it when the certificate has been renewed.

If you have a cert already and just want to add it, you want

certbot reconfigure --cert-name (name) --deploy-hook /somewhere/script.sh

You can get the certificate name from certbot certificates.

6 Likes

Just adding: even though you only have 1 domain right now, please write your hooks as if you have multiple domains. This might mean naming your hook script to be indicative of the domain/certificate, or utilizing the Environment Variables that Certbot populates to ensure you are doing the right operations for the right domain if you have a more generic script (or script name).

A few extra minutes of work today on this will save you hours of work in the future if (most likely: when) you add a new domain.

4 Likes