Renewal-hooks per domain

I have read the documentation,
I have searched stackoverflow,
using certbot 1.25.0 on Linux
I did not find a way to run per domain post-renewal hooks.

I see that /etc/letsencrypt/renewal-hooks/post has room for shell scripts. But those are global.
Do those shell scripts receive any arguments?
When are those scripts ran exactly, after each domain's renewal or once after all renewals have completed (with or without error)?

I see someone had a similar question When are renewal-hooks run? which remained completely unanswered, not just that but autoclosed.
I think maybe I should open a github issue to receive a response.

1 Like

Please see the appropriate sections of the Certbot documentation:

Renewing certificates

That section also refers to more details about the hooks by running certbot --help renew.

At the bottom of the documentation you can find that output, among everything else from certbot --help: Certbot command-line options

3 Likes

There are two ways to use hooks in Certbot:

  • The directory hooks in /etc/letsencrypt/renewal-hooks/{pre,post,deploy}, which will run for every certificate.
  • Specifying a hook when creating or renewing a specific certificate with --pre-hook, --post-hook and --deploy-hook.

--deploy-hook (and its directory equivalent) receives $RENEWED_LINEAGE as an environment variable, which points to the /etc/letsencrypt/live/example.com directory. You may use $(basename $RENEWED_LINEAGE) to get the certificate name.

--pre-hook and --post-hook do not receive any arguments or environment variables.

Each --pre-hook is executed immediately before the renewal attempt for any certificate which asks for it to run. If multiple certificates have the same --pre-hook, it will only be executed a single time. It is deduplicated.

Each --post-hook are gathered and executed after every certificate renewal attempt has completed. The success or failure of each certificate renewal attempt has no effect on whether the hook runs. As with --pre-hook, they are deduplicated.

Each --deploy-hook is executed immediately after a successful renewal attempt for its respective certificate. It is not executed if the renewal attempt for that certificate fails.

7 Likes

Thank you.
Can there ever be a situation where $RENEWED_DOMAINS is more than one domain?
I can't think of one, because it's in context of the single renewed domain, as far as I understood the documentation?

2 Likes

A certificate can contain multiple domains, so I don't see why $RENEWED_DOMAINS wouldn't be able to contain more than a single domain name?

From the documentation linked above:

the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, "example.com www.example.com")

4 Likes

In short:
If you can get a cert, you can save the required pre and post hooks for it.

Rinse and repeat...

You can have many certs with their individualized pre and post hooks (per cert) saved and then reused on their specific renewals.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.