Deploy-hook on Certbot crontab

Hi Friends,

I would like to add an "scp" command into the crontab generated during the Certbot installation.
My questions are two:

  1. modifying the native Certbot crontab you risk losing the changes to a subsequent Certbot update?
  2. is the syntax described below correct?

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot --deploy-hook "scp -P 12345 /etc/letsencrypt/live/*.pem" -q renew

Many thanks!


An (arguably better) choice would be to put an executable script into /etc/letsencrypt/renewal-hooks/deploy/.

Or specifying the --deploy-hook when creating the certificate. In turn, this will store renew_hook = /path/to/hook in your /etc/letsencrypt/renewal/*.conf file, which will be automatically applied at renewal.

You might find this helpful in a situation where you have multiple certificates: In a deploy hook, the name of the certificate will be present in $RENEWED_LINEAGE so you could use that to do certain actions only if the name matches.

Good question. I'm not sure, and it probably depends on the packaging policy of whatever Linux distro you are using. Best not to risk it, I think.

Consider whether your Linux system uses systemd. Pretty much all the major ones do. In that case, this cronjob will never actually run, and instead the equivalent systemd timer will run. That's what the -d /run/systemd/system is about.

So it's quite possible that your modification here will have no effect because this cronjob doesn't even run.


I think you are trying to streamline and combine things that don't require to be combined.
And may be creating a situation (or problem down the road) unnecessarily.
If your web server allows for graceful reloads, then it can be reloaded on a schedule (every day).
If your certs are, or aren't, renewed today, they can be copied over to the web server (every day).
The only advantage to your scenario is a clearly defined "instantaneous" synchronization.
Which is all but never seen nor even noticed.
In the "sych once a day" scenario, the only difference is the delayed servicing via the new cert.

That said, what about brand new certs?
Well, that can still be split into multiple tasks and some can be fired/triggered by certain preceding actions.

In short: I don't want you to overcomplicate a situation that really should not be that complicated.

1 Like

On the other hand, immediate "deploy" actions are kind of what deploy-hooks were invented for. I agree that there are many other options, some of which might be easier in a certain setting, but I don't see anything inappropriate about trying to use a hook this way.

1 Like

Yes, normally I tend to complicate things, because I think the life is a bit complicated and trying to simplify you risk losing the wonderful nuances it can offer..
Coming back to the topic, I too am able to schedule Cron for a daily copy, however, due to my natural tendency to complicate things, I was looking for a less expensive energy method.
Think that I'm the guy that still sends e-mails in text format so as not to consume more energy than essential and in the same way I go to get the newspaper using my bike. Of course I am aware that all this is absolutely useless but it makes me feel good :wink:

At the same way, I prefer a minimal approach to every computer action, so I will prefer to use the deploy-hooks approach.

in fact, I think I will follow the above az_'s hint, which seems to me also appreciated by @schoen :wink:

I sincerely thank all of you for your help!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.