I’ve got several sites, both work and personal, working with certbot on Ubuntu servers. Certificate renewals are working fine.
Over the past few months, I’ve noticed that hook handling has changed a bit, both with certbot by itseslf, and with the way the Ubuntu certbot PPA deploys it. Originally, I had a renewal hook script in /usr/local/bin, and I added the appropriate --renewal-hook parameter to the renewal cron job. Later, the Ubuntu PPA deployment created /etc/letsencrypt/post-hook.d, /etc/letsencrypt/pre-hook.d, and /etc/letsencrypt/renew-hook.d directories, and added the appropriate -hook parameters to the cron and/or systemd files so that scripts in those directories would be run for the appropriate hooks. Then this was removed, and I had to put the appropriate -hook parameters back in. Finally, it appears the current versions of certbot will look in /etc/letsencrypt/renewal-hooks/deploy, /etc/letsencrypt/renewal-hooks/post, and /etc/letsencrypt/renewal-hooks/post directories for the hook scripts, without having to provide -hook parameters to running ‘certbot renew’ (I’d like to have that last bit confirmed). It also appears that the renew hook has now been renamed the deploy hook (though i’m assuming that certbot will still respond to the old --renew-hook parameter, for backwards compatibility).
Now, I have no problems with the changes above. The final resolution appears to handle the situation with a minimum of having to make changes to cron or systemd unit files (unless you’ve already made changes, in which case you have to change them back, but that’s sysadmin life in a world of changing technology).
But, the conf entries in the /etc/renewals directory remember what hooks ‘certbot renew’ were initially called with and, presumably, cause future renewals to be run with the same parameters (i’m unclear whether explicit hooks on the ‘certbot renew’ calls will override what’s in the .conf files, or vise versa, but I think that will end up moot in my case). So, I’ve got some renewal .conf files pointing to the old /usr/local/bin scripts, some pointing to the Ubuntu post-hook.d, pre-hook.d, and renewal directories, and presumably, I’ll soon have some either pointing to the renewal-hook subdirectories, or not having any hook entries in the ‘renewalparams’ section of the .conf files (presumably because ‘certbot renew’ will find them without having to be explicitly told where they are), as I haven’t had any new certs created under the new regime long enough to find out.
So far, i’ve just left the scripts in the old places, and also copied them to the new(er) places. I’d rather clean this up, so that If they need changed, I don’t have to worry about changing 3 different copies. This leaves me with two questions:
Is the best way to change where renewal looks for hook scripts to manually change the renewal/*.conf files, or is there a better way to do that.
Can i just strip the post_hook, renew_hook, pre_hook entries out of the [renewalparams]
section of the .conf files, and then ‘certbot renew’ will only look in the new /etc/letsencrypt/renewal-hooks subdirectories?