Pre & post-hook question

I'm using certbot on my mail server, and I need to stop nginx before updating the cert and I need to restart it after updating the cert but I also need to restart dovecot.

Is it possible to do something like this:
/usr/bin/certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start;;service dovecot restart"

Or do I need to use the pre and post directories and put scripts into them
to do the stops/starts/restarts?

2 Likes

I would start with improving the overall renewal checking experience with:

  • using the --deploy-hook (only when the cert changes) to restart those things that weren't stopped
    [like Dovecot]
  • look for a way to use nginx instead of having to stop it (to check if a cert needs to be renewed) on each renewal.
    [<1% of regularly scheduled checks require a renewal]

So, at a bare minimum (improvement), you could do all three:

/usr/bin/certbot renew \
--pre-hook "service nginx stop" \
--post-hook "service nginx start" \
--deploy-hook "service dovecot restart"

For multiple commands... I would think so.
EDIT (for clarity/completeness): You can either put the scripts in the directory (which will always run) or call the scripts directly from the hooks in the command line (on a one-by-one basis - different cert renewals may require different things to be restarted).
OR maybe try with " && " instead of just ";;" as a separator.
Not sure as I don't normally use pre/post hooks.

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

4 Likes

A couple of things to add:

  • The --pre-hook won't run unless a renewal is actually going to happen.
  • I can confirm for you that you can list multiple commands in a --pre-hook like that. This is because the hook is run inside a shell.
3 Likes

Possible citation needed there.
Was it that way always, or did it change to this way with version x.y.zz?

2 Likes

Yes, it's been the case since the original implementation of hooks (0.5.0).

3 Likes