The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew --dry-run
so, which is the right way for tell "prosodyctl" the certificates change? So to run "prosodyctl --root cert.." only if there is a change / update of the certificate?
--pre-hook and --post-hook hooks run before and after every renewal attempt. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.
No. If you use the --deploy-hook option when requesting the certificate originally, or when renewing it manually with --force-renewal, then the command you supply will be stored in the renewal configuration file for that certificate (in /etc/letsencrypt/renewal/) and any future certbot renew command, including the one in the default crontab or systemd timer, will run it again automatically when that certificate is renewed. You do not need to modify the crontab itself.
Either should work, and for a single short command like that I’m not sure there is a preferred way (perhaps a Certbot developer can contradict me).
You might prefer to use a script if you have a long or complex deployment procedure, or if you want to reuse the same procedure for different certificates.
In my mind, the answer may depend on the process of:
[not familiar with this command]
If that can be run whenever/wherever without any concern, then it can stand on its' own and be run from cron (as often as you like | daily, hourly, weekly).
If it creates any real "impact" that you would want to occur only when absolutely needed (like stopping & then restarting a service), you would definitely want it attached to a --deploy-hook call.
In practice, the "--post-hook" no longer makes sense with the introduction of the "--deploy-hook".
Or it makes sense to send notifications or minor things ..
They serve different purposes. --post-hook is mostly useful for undoing the effects of --pre-hook. For example, if you needed to temporarily open a port in your firewall before the renewal attempt, and close it again afterwards - you would want both things to happen whether the renewal actually succeeded or not. --deploy-hook on the other hand is for things you want to do only after a successful renewal, such as reloading a mail or chat server that will use the newly renewed certificate.
