Post-renewal script is run, even though the cert couldn't be renewed

How can I tell certbot to skip the post-renewal script (/etc/letsencrypt/renewal-hooks/post.local/domain), if certificate renewal failed for whatever reason (network problem, buggy certbot, etc.)?

certbot is version 2.1.0 (Debian Testing).

I don't know what post.local is. Symlink?

The --pre-hook and --post-hook runs irrespective of the renewal outcome. It is intended for tasks like setting firewall rules.

If you want a hook that only runs upon certificate renewal, use --deploy-hook (/etc/letsencrypt/renewal-hooks/deploy).


AFAICT the deploy hook is one script for all certificates. Not what I need. Is there a domain-specific deploy script run just for the renewed certificate? Does certbot indicate somehow whether the renewal failed or succeded?

Yes (sort of), it's the --deploy-hook option as mentioned by _az above. That option is certificate specific. (One cert can contain multiple domains, so it's not domain specific, but that's also not really the point of a deploy hook anyway.)


If you want a hook to affect all of your certificates, use /etc/letsencrypt/renewal-hooks/.

If you want a hook to be specific to one certificate, use the CLI flags and the setting will be saved to the relevant /etc/letsencrypt/renewal/*.conf file.

There is no difference between pre, post and deploy hooks when it comes to the question of whether they are certificate-specific or not.

On Certbot 2.3.0 or newer, you can use the reconfigure verb to add a certificate-specific hook:

sudo certbot reconfigure --cert-name --deploy-hook "/path/to/"

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.