How to add a post auto-renew hook for a single certificate

My domain is: greenlane.pricklythistle.co.uk

My web server is (include version): nestjs 7 (express)

The operating system my web server runs on is (include version): Raspbian Buster

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Hi All

I have got my certificate setup and as far as I can tell it will be automatically renewed (when I type systemctl status certbot.timer I see a message saying it will run twice a day). After it has renewed I think that I need to restart my server so I need a hook.

There are instructions here about how to run renew with a post hook when running on the command line. There are also instructions about adding files to the config directory to run as a post hook.

It seems that I want to add files to the config directory that will run when the certificate is renewed - these scripts will run for all domains though. Ideally I want to only restart the appropriate webserver for whatever certificate has been renewed.

How do I go about doing that?

Thanks

1 Like

Depends on which configuration file you’re putting the option. Adding it to /etc/letsencrypt/cli.ini would mean it’s used for every certificate indeed, but if you’re using /etc/letsencrypt/renewal/${certname}.conf, it’s only used for that specific certificate.

1 Like

Brilliant, it seems that’s just what I need. I’ll give it a go. Many thanks.

1 Like

OK, I tried doing this. I edited /etc/letsencrypt/renewal/greenlane.pricklythistle.co.uk.conf
as follows:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/greenlane.pricklythistle.co.uk
cert = /etc/letsencrypt/live/greenlane.pricklythistle.co.uk/cert.pem
privkey = /etc/letsencrypt/live/greenlane.pricklythistle.co.uk/privkey.pem
chain = /etc/letsencrypt/live/greenlane.pricklythistle.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/greenlane.pricklythistle.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ACCOUNT_NUMBER
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
deploy-hook = systemctl restart SERVICE_NAME

but my service is not restarted when the certificate renews and when I renew the file contents are replaced and the deploy hook line is removed.

The configuration file property names do not mirror the CLI flags.

What you want is:

renew_hook = systemctl ...
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.