Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
Followed all the instruction on chatbot page:
It produced this output:
My certs work great. Many thanks to all.
My web server is (include version):
node.js 18.15.0
The operating system my web server runs on is (include version):
Debian 11
My hosting provider, if applicable, is:
Linode - private server
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot 2.4.0
Hi. I setup/ran certbot as root. Now I want to give access to cert files needed for server to a non-root user. This help response indicates I need to edit my renewal script. My question is: Where is that script? I would like to copy the needed files to my non-root user's home after they change on a cert update, but I don't know where to add that process.
The script user cool110 in that thread was talking about, was a custom made script by themselves. It's not part of Certbot. That said, such a script shouldn't be too hard to make.
If you've made the script doing the copying, you can use the --deploy-hook option so after every certificate renewal the script gets run. See the Certbot documentation for more information about hooks, such as the --deploy-hook, including some variables you can use in your script.
Thanks so much for your reply.
I ran the below command which I hope is all I need to do. sudo certbot certonly --standalone --deploy-hook /root/copycerts.sh
It prompted for domain name and then said that I already had a valid cert so I entered 1 to keep the existing cert. I'm guessing this is all I need to do to run my copy script after each deployment.? Here is the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): reservationbots.com
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/reservationbots.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I'm not sure if that saves the --deploy-hook. As you're using the most recent version of Certbot, I'd advise you to look into the certbot reconfigure subcommand to add the --deploy-hook to an existing certificate. See User Guide — Certbot 2.4.0 documentation for more info.
I ran following command which appears to have worked: certbot reconfigure --cert-name reservationbots.com --deploy-hook /root/copycerts.sh
It modified file: /etc/letsencrypt/renewal/reservationbots.com.conf
by adding the following line at the end: renew_hook = /root/copycerts.sh
Thanks for all your help.