New environment variable and hook type for certbot

This is kind of a two-part feature request because they'd integrate together.

PROPOSED ADDITIONS:

  1. New Environment Variable: CERTBOT_TOTAL_DOMAINS

This environment variable would contain the subject domain for each successfully renewed certificate in a comma-separated list. This would only be available to the endrun hook(s) (see below).

  1. New Hook Type: endrun

This would offer a hook type that is run once at the end of all renewals (e.g. after all validations, certificate successes, etc.).

POSSIBLE USE CASES:

This allows for avoiding multiple restarts/reloads for services that may use many certificates, for example, rather than running after each successful renewal (e.g. deploy hooks). If there are numerous separate certificates on one server and a deploy hook takes several seconds (e.g. a slowly restarting service), this can create a lot of "service flapping". The CERTBOT_TOTAL_DOMAINS variable (see above) would allow for determining whether this service uses a certificate that was renewed or not (and thus needing a restart/reload or not)..

Hi @johnnybubonic,

Thanks for the suggestions.

Have you taken a look at --post-hook?

During renewal, the hook is deduplicated. That is to say, if you have 10 certificates that all have the same --post-hook, it will only be invoked once, after all the certificates have been processed/renewed.

I think this might have been proposed before, but I can't find it right now. Opening a feature request on the issue tracker is a good idea.

Personally, I feel like adding $RENEWED_LINEAGES to the --post-hook would probably be a fine thing to do, even if it overlaps slightly with the purpose of --deploy-hook.

1 Like