Deploy cert after successfull creation (with option --manual and certonly)

Hi @datacenterdssdi,

I think you are misinterpreting the purpose of cleanup-hook (versus deploy-hook). The cleanup-hook script is meant to be used to undo an individual challenge action (the inverse of an auth-hook). The hook mechanism for when everything is done is called deploy-hook.

I believe that your final cleanup-hook will get called before the certificate is issued. By contrast the deploy-hook will get called afterward.


I've also tried deploy-hook but still didn't execute the script.

I also have difficulties using deploy-hook because in documentation, deploy-hook is used primarily in certbot renew. I've not found a usage of deploy-hook that looks like my case.

letsencrypt.log.2.txt (296.0 KB)

this is the log that uses deploy-hook

After so many trials and rearrange of configuration, I'll conclude that manual-cleanup-hook and deploy-hook cannot work with a combination of certonly and --manual.

If no one can prove me wrong, I'll close this topic with the above statement. Hopefully, the dev teams can add my finding into certbot documentation.

certbot 1.19.0

? ? ?

It looks like the main thing that has not been mentioned so far is that --deploy-hook does not have any effect when running Certbot with --csr. The rationale for this behavior can be found in this comment and its follow-up comments. I can see how it can be confusing and I can see an argument in favor of changing it. As of today, this is working as intended. We should document this limitation though and I've opened an issue for that.

To summarize all the questions in this thread:

  1. --manual-auth-hook and --manual-cleanup-hook do not always get invoked. If your ACME account has recently completed an authorization for the domain, this entire step might get skipped. (In --dry-run mode, it is never skipped).
  2. Because of (1), if you have any steps you need to always perform before or after obtaining a certificate, you need to use some combination of --pre-hook, --post-hook and --deploy-hook.
  3. Because pre, post and deploy hooks are not invoked in --csr mode, you will need to run those commands manually, separate to the certbot command.

So it'd be a script that goes something like:

#!/usr/bin/env bash
echo "do the pre-hook commands"

certbot certonly  --csr csr.pem --manual \
--manual-auth-hook "" \
--manual-cleanup-hook "" && \
echo "do the deploy-hook commands"

echo "do the post-hook commands"

Aah.. so it's because the function --csr made hooks feel it didn't work like intended.

Yes, when I look at certbot documentation again, it's rare to use the --csr function's in the sample scripts.

It's clear the confusion in my mind now.

So, as I've posted before, I've got a script to work as I intended. More or less, like a script in this sample script. I'll continue to work with my previous script without --manual-cleanup-hook and/or --deploy-hook .

Thanks a lot for your explanation!


My bad.

So it's --csr that made the hooks not work correctly. Not --manual-cleanup-hook and --manual

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.