Route-53 + grafana


I use certbot with route-53 plugin to generate a certificate. I need to use that certificate with grafana. I have to move it to /etc/grafana/certificates and change the permission and owner/group to be able to use it.

My question is about the systemctl timer running certbot renew twice a day.

How can I automate the process of moving and changer owner/group and permission and restart grafana if certbot successfully renew the certificate.

Thank you!


Hi @metabsd, great question

This sounds like a good match for a --deploy-hook:

  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "" (default: None)


However, rather than move the files you should copy them with cp -L because certbot needs to be able to find them in their original location to determine if they need to be renewed yet :slight_smile:


Great point, thanks @jmorahan :+1:


Thanks all for your help. The community of Let’s encrypt is really good.



Another little question about adding --deploy-hock to an existing /etc/letsencrypt/renewal/somedomain.conf

Do I have to rerun a --force-renewal with the new certbot arguments or I can modify the .conf ?

Thank you!


You can do either but --force-renewal is recommended over modifying the conf directly as it checks that it actually renewed successfully before updating the file. (Just don’t do it too frequently, or you could hit the rate limits).


Make sure you spell that HOOK not HOCK :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.