Multiple SSL renewal

Hi, I'm running certbot_renewal to renew multiple SSL certificates at the same time. I would like to run a script at the end of the multiple SSL certificated renewal. Should I write my script into the deploy or post hook? I want to run my app only after the last renewed SSL certificate.

Thank you for the help


Hi @mgiannoni,

In this case, I think that you will want to use --post-hook:

  1. It will only run if one or more certificates were attempted to be renewed.
  2. If multiple certificates have the same --post-hook, the hook will only be executed once, after all of the renewal attempts have been made.

Please show the command script file:


hi _az , thank you very much for answering my question, this is what I was looking for. Yes my multiple ssl certificates have the same script under /etc/letsencrypt/renewal-hooks/post

Thank you again.

1 Like

Isn't that supposed to be a --deploy-hook? A --post-hook will be run after every attempted renewal, successful or not. A --deploy-hook will only be run after every successful renewal.

1 Like

It is a cronjob

5 0 * * * sleep $(( RANDOM % 3600 )) && /usr/local/bin/certbot_renew

Yes, good catch. I updated my answer. Thanks.


I just run a test on 11 ssl certificate to renew so I put a script in the deploy and post hoot as follow:

for the deploy hook:
now =$(date)
echo "$now" >> /root/sysmgm/scripts/acme/test/howmanydeploy.txt

for the post hook:
now =$(date)
echo "$now" >> /root/sysmgm/scripts/acme/test/howmanypost.txt

The file hownamnydeploy.txt was written every ssl cert renewal as follow:
Mon Dec 13 00:38:24 PST 2021
Mon Dec 13 00:38:34 PST 2021
Mon Dec 13 00:38:47 PST 2021
Mon Dec 13 00:39:05 PST 2021
Mon Dec 13 00:39:16 PST 2021
Mon Dec 13 00:39:28 PST 2021
Mon Dec 13 00:39:40 PST 2021
Mon Dec 13 00:39:51 PST 2021
Mon Dec 13 00:40:08 PST 2021
Mon Dec 13 00:40:19 PST 2021
Mon Dec 13 00:40:36 PST 2021

The file howmanypost was written only one time:
Mon Dec 13 00:40:41 PST 2021

From the date you can see that the howmaypost was written only once at the end of the all multiple ssl renewal.

I deduct that the post-hook script is called only once at the end of the renewal process..


1 Like

I repeat myself:


Your post implies that you only want to run your script once (after all renewals have been processed).
But the question is:
Do you want to only run when a cert has been renewed OR do you always want it to run after each renewal check?

But wouldn't it do that once always (no matter if any certs were renewed or not)?


I do want to run my script only when a cert or multiple certs is/are renewed.

Last request:


Hence why _az said:

1 Like

Does your renewal script have --force-renewal in it? If so, that's very bad and needs to be fixed by removing that parameter.

1 Like

That presumes the use of certbot renew.
The shown use is certbot_renewal.


yes you are correct the exact command I'm using is : certbot renew!
In the previous post I didn't realize that I posted an ansible wrapper for the same command, my ansible certbot_renew (not certbot_renewal this was a typo) contains the following code:




This script is meant to be run as part of a cron job to renew this systems

certificates requested/issued via certbot

PATH =/sbin:/bin:/usr/sbin:/usr/bin

web_srv_proc =$(lsof -i:80 | tail -1 | awk '{ print $1 }')
firewall-cmd -q --zone=public --add-port=80/tcp

if [ ! -z "${web_srv_proc}" ] ; then
certbot renew --quiet --pre-hook "systemctl stop ${web_srv_proc}" --post-hook "systemctl start ${web_srv_proc}"

certbot renew --quiet

firewall-cmd -q --zone=public --remove-port=80/tcp

But wouldn't it do that once always (no matter if any certs were renewed or not)?
Yes in my case I can run it once always that will work, no matter if any certs were renewed or not.

You can probably replace those with just:
--post-hook "systemctl reload ${web_srv_proc}"

And you can probably replace that with:
--deploy-hook "systemctl reload ${web_srv_proc}"

And you can probably replace the 11 calls to it:

With one single call.
[certbot will try to renew all the certs that it manages within each call]

But, as always, test test test [first].

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.