I have 2 renewals use dns challenge.
When renew, I will see 2 processes one after another.
When renew with --deploy-hook, how many times it will run?
Three different situations:
0 successful renewal
1 successful renewal
2 successful renewal
1 Like
0 times.
1 time.
2 times.
See for more info the certbot --help all output:
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
1 Like
I have 2 renewals, each one need a --deploy-hook to do something difference.
Do I need to use 2 cronjobs to renew them separately with --cert-name ?
1 Like
No, a deploy hook option used on the command line will be saved after a successful renewal/issuance in the certificates renewal configuration file. So there's no need to include it in a cronjob.
You can check if the deploy hook is saved in the renewal configuration file by running certbot renew --dry-run: certbot will output it has skipped a deploy hook (due to the fact you're doing a dry run) if it is correctly saved in the renewal configuration file. If certbot does not output it has skipped a deploy hook, it hasn't been saved.
3 Likes
To be 100% sure, please show the complete renewal command being issued (preferably executed within cron or systemd).
[it should be something very much like only: certbot renew]
2 Likes
Right, I saw an option named "renew_hook" saved in the renewal configuration file and each renewal has one. It's no need to renew with --deploy-hook again. Certbot is too smart. Thank you very much!
Yes, I only need to execute certbot renew with cron.
I saw a systemd timer for renewal named "snap.certbot.renew.timer", but it seems not working, beceuse I have received an Email last month that tells me the certificates will expire in 7 days. So, now, I stop the timer, only use cron.
I believe renew_hook is the configuration file name for the command line option --deploy-hook due to historic reasons.
Sometimes you can receive expiry e-mails even when your certificates have renewed perfectly. For example, when a certificate has been modified with regards to its hostnames. See the expiry email documentation. I think it's highly unlikely the systemd timer didn't function properly, unless there's something wrong with your systemd timers in general.
That said, nothing wrong with a cronjob of course.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.