How to run a deploy script ONCE after ALL certs installed


I have older installs that use the --renew-hook and newer ones that use the --deploy-hook but I just found out that the scripts run once for every certificate. I don’t understand the reason why someone would want to run the same script over and over for multiple certificates. I have a script that copies certs, sets permissions, and restarts apache but I only want it to run when renewal time comes and ONCE after ALL certs installed. How would I accomplish this over all versions of certbot? If I have to do manual installs of certbot-auto to get the latest version then I will do that.


what about this ? If I have 3 certs, should I run the certbot command 3 times and have the last one have the renew-hook statement on it ?


If you just need something to run after the certbot renewal process runs, it might be simpler to do exactly that. If you’ve got certbot installed from your distribution’s package manager, edit either the installed cron job or systemd timer and tack your script on the end.


Oh wow … I did use the package manager and was not aware of any cron job or systemd timer … where would those be stored? I don’t see anything in the /etc/cron.daily and systemctl list-timers does not show anything for letsencrypt or certbot.


I believe the cron entry is usually installed in /etc/cron.d/certbot

For systemd, you may need to use the --all flag for list-timers if for whatever reason the timer isn’t active.


i didn’t realize this wraps each renewal. it is weird there isn’t a global pre/post hook.


I think there should be.


I just tested this.

It seems to only run once for me.

./certbot-auto renew  --pre-hook "echo 'pre-hook'"  --post-hook "echo 'post-hook'"
Cert is due for renewal, auto-renewing...
Running pre-hook command: echo 'pre-hook'
Pre-hook command already run, skipping: echo 'pre-hook'

You may need to upgrade your version of certbot. This functionality may have been an improvement in a release newer than yours.


Makes sense for pre-hook which runs before, but I am interested in deploy-hook which runs after. The same logic cannot carry over.
Will it try to run it for every cert and say … oops, there are more certificates … I will just wait until they are all done?


Upgrade to the current cerbot and ensure the behavior is the same. You haven’t mentioned what version you are running.


Actually, I did mention version in a backhanded way. In my original post I mentioned that I have several servers all running different versions. I also mentioned I’d be willing to upgrade to the latest if it will provide the feature I’m looking for. Also, I’m sure the behaviour will be the same but I am not looking for that behaviour … as I mentioned in my last post, I am looking for deploy-hook, not pre-hook.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.