Run script after each automatic renewal


I followed the wildcard instruction on

I have multiple server (apache, nodejs, mailserver, …) sharing same certificates and i need to copy certificate files on multiple server after each renewal. I think i will dedicate a virtual machine to generate and copy certificates on all machines.

Is it a good practice ? If yes, how can i tell certbot to launch a script after each automatic renewal ?

Voici les infos demandées :

Web server : Apache/2.4.29 on Ubuntu 18.04.1 LTS
Bind server : BIND 9.9.5-3ubuntu0.2-Ubuntu on Ubuntu 14.04.1 LTS

Yes, it is. You're going to use the dns-01 challenge? Would be a good choice if you're running your own DNS server indeed. No need for HTTP challenge redirects et cetera.

See the Renewing certificates part of the certbot documentation, especially the part of --deploy-hook or its equivalent directory /etc/letsencrypt/renewal-hooks/deploy.

Also see the help text of the --deploy-hook variable in the command line options overview, it has more information about environment variables which can be used in the script(s).

Yes, dns-01 is already installed. I hesitate between two approach :

  • copy certificate over ssh on all machine after each renewal
  • share same certificate files with NFS mount on all servers

Which do you think is the best approach ?

OK, thanks ! i will look at theses pages :slight_smile:

NFS is unencrypted so not suitable for your private key if your network isn't secure. Personally, I would use scp / ssh to copy the cert and private key. Of course you'll also need to reload the service so it uses the new key, which might be done with perhaps the same ssh command. I'm pretty sure you might find others which already scripted solutions for this on the world wide web.

OK, i’ll look at certbot post renewal hook for scripting scp+restart.

Thanks for your help !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.