Post script for auto renewals

I am currently running Certbot 1.14.0 to auto renew approximately 50 certificates on Centos 7. I have been manually reloading/restarting Postfix and Dovecot after any of the certificates are renewed to avoid connection errors.

With the current version there is a new directory /etc/letsencrypt/renewal-hooks/ with deploy, post and pre directories which I understand can be used to execute user scripts.

I realize I can put a directive in the /renewal/domain.conf file like:
renew_hook = systemctl reload postfix (or service postfix reload would work as well)

However if every domain.conf file had that line wouldn't it reload postfix multiple times (there are 16 domains that have the same expiration date.)

If I were to add a script to "/etc/letsencrypt/renewal-hooks/post/do-something.sh" does it run after each renewal or after all renewals are completed?

If it only runs one time after all renewals are completed I would like to do something like:
#!/bin/sh
systemctl reload postfix
systemctl restart dovecot

Does that look correct to reload/restart the services only one time after any/all domains have been renewed? If no domains need to be renewed, would it ignore the post script? Would make the most sense.

Lastly, if I wanted to run a custom command only for a couple specific domains, could I add that to the post script instead of in the domain.conf file?

Something like:
if [ "$DOMAIN" = "special-domain.com" ]; then systemctl restart some-service; fi

If something like that would work, what would I use to get the $DOMAIN output? I'm guessing it would probably have to be a for loop?!?

Any help would be appreciated. I have looked through the Let's Encrypt documentation but couldn't find any examples that I could easily follow.

Hi @webfxjt

please check the documentation - User Guide — Certbot 1.15.0.dev0 documentation

--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)

"for each" - so if you renew 10 certificates, that command runs 10 times -> that's not what you want (restarting mail servers 10 times).

But you can use that script

  • to start your single-domain command
  • to create an own file with all renewed certificates to use it later

Thanks JuergenAuer,

I have gone through the documentation but can't seem to find what I'm looking for, at least not that I am understanding.

The directories under /etc/letsencrypt/renewal-hooks are only briefly mentioned in one paragraph and it states "any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand".

I'm assuming that to mean that when certbot renew is run and it renews 4 domains that script will run 4 times?!? In that case I wouldn't want to run a reload/restart command from there.

I have viewed the logs and see that certbot renew automatically reloads the web server after any run with a successful renewal. Even if there are 4 renewals done at once I only see the web server reloaded 1 time. I am trying to accomplish that for postfix and dovecot.

Currently I have a perl script running that checks the letsencrypt.log and sends an email when any certs are renewed with "success" then I manually restart the two services. I was about to modify the script to reload/restart the services at the same time it emails the results. That is when I noticed the /etc/letsencrypt/renewal-hooks directories and was thinking that may be a better way as my script runs about an hour after certbot renew so there is a small window where the certs may show up as invalid with dovecot and postfix. However, after reading the documentation it wasn't (still isn't) clear to me exactly how I would accomplish this using the post directory.

Guess I will continue with my original plan to restart them when any renewal success is found in the log.

Thanks again for the quick response.

I'm not sure if the information for the separate CLI options are also valid for the directories, but the following is stated:

--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run
. (default: None)

The bold part is of course interesting and I think relevant: if you use the same script, it will only be run just once.

However, that's assuming it's only ran at the last renewal. Unfortunately, this is not made very clear from the documentation..

@griffin Another thing for your documentation thingie.

2 Likes

Agreed. :slightly_smiling_face:

I also find this part rather disturbing:

A --deploy-hook should be used for this purpose since deployment procedures for a certificate should only be performed if the certificate is actually renewed and not every time a renewal is attempted (as is the case with --post-hook).

Thank you for the advice on cli.ini. Just out of curiosity is there a proper way to issue multiple statements for one hook?

current line I have in cli.ini

deploy-hook = "service postfix reload ; service dovecot restart"

or should it be:
deploy-hook = service postfix reload
deploy-hook = service dovecot restart

I went through the documentation and couldn't find any information on running commands multiple times, however some of them specifically state they can be used more than once.

I tried it both ways and didn't receive any errors although there were no attempted renewals at that time. There should be 4 renewals tonight so I guess I'll find out one way or the other.

Thank you again for pointing me in the right direction!

I think this should work. You should not use multiple deploy-hook statements.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.