Reasoning behind hooks directory available only for certficate renewal

Can someone please clarify the option to run hooks (pre/post/deploy) from a directory is made available only for 'renew' subcommand but not for 'certonly' subcommand? I know to run the hook with certonly subcommand, i can specify the options like --pre-hook.

The question is why not use the scripts in the directory pre/post/deploy also for certonly subcommand?. What is the use case that demands running hooks on renewal but not on certficate creation?

I am trying to automate certificate creation and renewal using ansible. The users will provide scripts that they want to run before/after the certificate creation/renewal. The trouble is if there are many pre/post/deploy hook scripts, i need to specify each of them individually with the certonly option but for renewal it automatically runs from the folder.

What am i missing here please?

1 Like

You can do stuff you need for renewal but nor for certificate creation, like restarting/reloading webserver.
What is the problem specifying the hooks? In case you have multiple scripts per hook, consider consolidation or write a wrapper script.
If you use the a flag, there already included in the renew, independent from the directory as you can see at

/etc/letsencrypt/renewal/example.com.conf
2 Likes

That is a fair question and might be better posted at the github for Certbot (link here).

I believe your understanding of the hook folder is correct. But, I wonder why you are even using that. If I understand correctly, you are getting certs with different criteria for various people. If so using the common hook folder might not be best. You might be better served using the proper hook option on the certonly command. And, reference a script in your own script folder not one of the special-purpose Certbot folders.

A successful certonly writes the options used, including hooks, to the Certbot /renewal/ folder config file. A renew for that cert uses those same options.

4 Likes

there is no problem in specifying the hooks.. to use two different approaches depending on the subcommand does not look nice.. I plan to discard the 'directory' approach and use only flags (--pre-hook etc) for both certonly and renew. the burden is on the user of the ansible role to provide a wrapper script.. thanks

just to give you the context. i am developing ansible role so that other teams can use this role to create/renew certs. In that sense, there is no "common hook folder" that is shared by multiple users. each team/users will run the ansible role against their server instance.

I will abandon the "hook directories" approach and will provide config in my ansible for the user to specify the path to pre/post/deploy hook scripts. I will use it to construct the certbot command with appropriate flags.. thanks for your reply

2 Likes

posted this in github Need consistent approach in using pre/post/deploy hooks with certonly and renew subcommands · Issue #9869 · certbot/certbot · GitHub

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.