How many times dose --deploy-hook will run?

Rand · September 18, 2021, 12:23pm

I have 2 renewals use dns challenge.
When renew, I will see 2 processes one after another.

When renew with --deploy-hook, how many times it will run?

Three different situations:
0 successful renewal
1 successful renewal
2 successful renewal

Osiris · September 18, 2021, 12:38pm

0 times.

1 time.

2 times.

See for more info the certbot --help all output:

  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)

Rand · September 18, 2021, 2:11pm

I have 2 renewals, each one need a --deploy-hook to do something difference.
Do I need to use 2 cronjobs to renew them separately with --cert-name ?

Osiris · September 18, 2021, 3:09pm

No, a deploy hook option used on the command line will be saved after a successful renewal/issuance in the certificates renewal configuration file. So there's no need to include it in a cronjob.

You can check if the deploy hook is saved in the renewal configuration file by running certbot renew --dry-run: certbot will output it has skipped a deploy hook (due to the fact you're doing a dry run) if it is correctly saved in the renewal configuration file. If certbot does not output it has skipped a deploy hook, it hasn't been saved.

rg305 · September 18, 2021, 9:06pm

To be 100% sure, please show the complete renewal command being issued (preferably executed within cron or systemd).
[it should be something very much like only: certbot renew]

Rand · September 19, 2021, 4:04am

Right, I saw an option named "renew_hook" saved in the renewal configuration file and each renewal has one. It's no need to renew with --deploy-hook again. Certbot is too smart. Thank you very much!

Rand · September 19, 2021, 4:10am

Yes, I only need to execute certbot renew with cron.

Rand · September 19, 2021, 6:27am

I saw a systemd timer for renewal named "snap.certbot.renew.timer", but it seems not working, beceuse I have received an Email last month that tells me the certificates will expire in 7 days. So, now, I stop the timer, only use cron.

Osiris · September 19, 2021, 8:46am

I believe renew_hook is the configuration file name for the command line option --deploy-hook due to historic reasons.

Sometimes you can receive expiry e-mails even when your certificates have renewed perfectly. For example, when a certificate has been modified with regards to its hostnames. See the expiry email documentation. I think it's highly unlikely the systemd timer didn't function properly, unless there's something wrong with your systemd timers in general.

That said, nothing wrong with a cronjob of course.

system · October 19, 2021, 8:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.