--deploy-hook not executed after staging cert successfully obtained


I am testing certbot in docker container of debian through automated deployment. For purposes of the project I created a bash script that is following:

#!/usr/bin/env bash
# inspired by https://gist.github.com/xgin/fbfa4577ad46955f472c
# this script name is used for first cert generation, after that renewal is done by certbot cron


certbot \
certonly \
–webroot \
-w /var/www/certbot/ \
–email myemailaddress@mydomain.com \
-d “${HOSTNAME}” \
–non-interactive \
–agree-tos \
–deploy-hook “/usr/sbin/nginx -t ; /usr/sbin/nginx -s reload ; touch /etc/letsencrypt/reloadok” \
–server https://acme-staging.api.letsencrypt.org/directory

echo “Certificate generation finished for hostname ${HOSTNAME}”

Now the problem is that when I execute that for testing purposes the certs are generated, all files are properly created. However nginx is never restarted, the touch file never created and folder /etc/letsencrypt/renewal-hooks/deploy/ is empty. It never seems to execute the hooks. --deployment hook should be executed every single time cert is retreived or renewed.
I tried command certbot renew --dry-run and it was performing all actions properly, but it did not show skipping any renewal hooks either :frowning:
For purposes of public forum I obstructed the real domain with privatedomain text, since it is a corporate project.

My domain is: private corporate, cannot disclose

I ran this command: as mentioned in script above

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for privatedomain
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-04-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Certificate generation finished for hostname privatedomain

My web server is (include version):

root@dfe8ef633758:/app# nginx -v
nginx version: nginx/1.15.7

Certbot version:

root@dfe8ef633758:/app# certbot --version
certbot 0.28.0

The operating system my web server runs on is (include version):

root@dfe8ef633758:/app# cat /etc/debian_version

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): nope

Any help is appreciated how to solve the issue. could it be permission issues ? but certifficates were issued and written properly by user executing the script.


Hmm OK, actually it does work. Definitely it was a permission issue, but somehow certbot command could not execute the post installation hook. we made sure that the /etc/letsencrypt folder has proper flags assigned and it seem to be working correctly. if anybody will use this thread as inspiration for script feel free to. can be closed as resolved