I use certbot with route-53 plugin to generate a certificate. I need to use that certificate with grafana. I have to move it to /etc/grafana/certificates and change the permission and owner/group to be able to use it.
My question is about the systemctl timer running certbot renew twice a day.
How can I automate the process of moving and changer owner/group and permission and restart grafana if certbot successfully renew the certificate.
This sounds like a good match for a --deploy-hook:
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
However, rather than move the files you should copy them with cp -L because certbot needs to be able to find them in their original location to determine if they need to be renewed yet
You can do either but --force-renewal is recommended over modifying the conf directly as it checks that it actually renewed successfully before updating the file. (Just don’t do it too frequently, or you could hit the rate limits).