I use certbot with route-53 plugin to generate a certificate. I need to use that certificate with grafana. I have to move it to /etc/grafana/certificates and change the permission and owner/group to be able to use it.
My question is about the systemctl timer running certbot renew twice a day.
How can I automate the process of moving and changer owner/group and permission and restart grafana if certbot successfully renew the certificate.
Thank you!
Hi @metabsd, great question
This sounds like a good match for a --deploy-hook:
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
However, rather than move the files you should copy them with cp -L because certbot needs to be able to find them in their original location to determine if they need to be renewed yet 
Thanks all for your help. The community of Let’s encrypt is really good.
Another little question about adding --deploy-hock to an existing /etc/letsencrypt/renewal/somedomain.conf
Do I have to rerun a --force-renewal with the new certbot arguments or I can modify the .conf ?
Thank you!
You can do either but --force-renewal is recommended over modifying the conf directly as it checks that it actually renewed successfully before updating the file. (Just don’t do it too frequently, or you could hit the rate limits).
Make sure you spell that HOOK not HOCK 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
