I also don’t agree with the suggestion to use --force-renewal
and only run once a month. The more usual process of running certbot renew
twice a day is intended to allow the automated renewals to recover from any temporary failures.
However, if you want to do that, I’d recommend a few other changes as well.
I would create a script like the following and make it executable:
#!/usr/bin/env bash
# Concatenate cert and key to the specified file:
(umask 077; cat "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/privkey.pem" > "$1")
# Reload HAProxy
service haproxy reload
Let’s say you save that as /usr/local/bin/haproxy-deploy.sh
. Then run the certbot certonly
command again to renew each certificate individually and change its renewal parameters:
sudo certbot certonly --standalone -d example.com \
--preferred-challenges http-01 --http-01-port=8888 \
--deploy-hook "/usr/local/bin/haproxy-deploy.sh /etc/ssl/example.com/example.com.pem"
replacing the path to the pem file with the one you’re actually using in haproxy.
Once you’ve successfully renewed your certs once with that command, a simple certbot renew
should suffice in the future, and you can safely let certbot’s default twice-daily cron job or systemd timer handle it.