How can I tell certbot to skip the post-renewal script (/etc/letsencrypt/renewal-hooks/post.local/domain), if certificate renewal failed for whatever reason (network problem, buggy certbot, etc.)?
certbot is version 2.1.0 (Debian Testing).
I don't know what post.local is. Symlink?
The --pre-hook and --post-hook runs irrespective of the renewal outcome. It is intended for tasks like setting firewall rules.
If you want a hook that only runs upon certificate renewal, use --deploy-hook (/etc/letsencrypt/renewal-hooks/deploy).
7 Likes
AFAICT the deploy hook is one script for all certificates. Not what I need. Is there a domain-specific deploy script run just for the renewed certificate? Does certbot indicate somehow whether the renewal failed or succeded?
Yes (sort of), it's the --deploy-hook option as mentioned by _az above. That option is certificate specific. (One cert can contain multiple domains, so it's not domain specific, but that's also not really the point of a deploy hook anyway.)
4 Likes
If you want a hook to affect all of your certificates, use /etc/letsencrypt/renewal-hooks/.
If you want a hook to be specific to one certificate, use the CLI flags and the setting will be saved to the relevant /etc/letsencrypt/renewal/*.conf file.
There is no difference between pre, post and deploy hooks when it comes to the question of whether they are certificate-specific or not.
On Certbot 2.3.0 or newer, you can use the reconfigure verb to add a certificate-specific hook:
sudo certbot reconfigure --cert-name example.com --deploy-hook "/path/to/script.sh"
8 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.