Hook scripts for initial certificate installation


I want to script obtaining and configuring certificates for RabbitMQ.

I created hook scripts in /etc/letsencrypt/renewal-hooks/{pre,post,deploy} (Currently to log parameters and environment variables)

When I run certbot -d "hostname.example.com" --standalone -i null -m address@example.com --no-eff-email --no-bootstrap --agree-tos the deploy hook script is only run if I force renewal.

I’m looking for a hook script to run on the initial issuance of the certificate. I don’t see anything in the documentation. (There is this, but that seems to be for validation, not installation and does not seem to have the equivalent to the RENEWED_LINEAGE variable that gets passed to the renewal deployment script (according to the documentation)) (I have multiple SANs in the cert and prefer active confirmation of the directory name above guessing what it is)

Does this exist (maybe as part of the null installer)? (If not, this should likely be changed to a feature request instead)


Looking at the issues on Github, it seems like the undocumented --deploy-hook option might do what I want (and pass the path in (the also) undocumented RENEWED_LINAGE environment variable)?

Can this parameter that is not documented for the run command be relied on? (The documentation only mentions it for the renew command) I.e. Is it a bug that it works, which means that it can disappear at any time?

If it is a supported option, can I do something like this:
certbot -d "hostname.example.com" --standalone -i null -m address@example.com --no-eff-email --no-bootstrap --agree-tos --deploy-hook /root/scripts/install-new-cert.sh? (And put a hook script to reload the application on renewal in /etc/letsencrypt/renewal-hooks/deploy?

This seems to mention that that might actually result in /root/scripts/install-new-cert.sh being run each time the certificate is issued, instead of just for installation? (If that is the case, how do you give a hook script just for installation?))


Hi @MoHaG,

Regarding the “undocumented” --deploy-hook and “undocumented” RENEWED_LINEAGE variable:

 --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)

You can use --deploy-hook in your run command and it will be executed once the certificate is issued for your domain BUT keep in mind that certbot will add a parameter to your domain’s renewal conf pointing to this script so every time you renew your certificate it will execute this command/script AND all the scripts you have in /etc/letsencrypt/renewal-hooks/deploy/ dir.

You could add a couple of lines to your initial script to remove the renew_hook parameter added to the renewal conf file so this initial script will run only once when you issue the cert and when the renew happens, it will use the scripts in the /etc/letsencrypt/renewal-hooks/deploy/ dir.

base=$(basename "$RENEWED_LINEAGE")
sed -i '/renew_hook/d' /etc/letsencrypt/renewal/${base}.conf



The documentation only mentions it under the heading for the renew command. There is no indication that it is valid for certonly and run as well. (There is a PR to fix that though) (certbot -h run does not mention it either (the details in the documentation seems to be the output of certbot -h renew))

Using the script to clean up the option does seem like a decent idea…


Yes, you are right, it is not documented in the run section so I hope they fix that gap in a future release.


If you select the text, a button will appear to quote only the selected text.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.