I don’t know what the differences are btw all different arguments after “certbot certonly”.
If I use “certbot certonly --nginx”, will renew cert by certbot.timer/.service reload my nginx server for me? (I can see .service calls certbot -q renew actually).
I am trying to avoid any auto actions done by certbot. I just want certbot to manage the cert, such as registering/renewing certs. That’s all. I don’t want it to touch anything other than the certs. Thus, I don’t want it to reload my nginx server etc…
So, how can I achieve this?
Btw, To clarify, I do apply the certs for nginx, but I prefer all manual nginx setup/reload/restart actions. Thanks a lot.
No. certonly tells you to not modify any nginx configuration file permanently. It only temporarily uses nginx to get the http-01 challenge done and then removes any changes it made. It’s up to you to actually install the certificates into nginx. And reload nginx after any renewal. Which is easily done with a --deploy-hook. See Renewing certificates for more info.
One more question, I just read the doc you suggested. So I can use hook scripts upon renewal. What about different action scripts upon different certs renew? For example, if cert1 is renewed, then run /etc/letsencrypt/renewal-hooks/pre/cert1.sh. If cert2 is renewed, then run /etc/letsencrypt/renewal-hooks/pre/cert2.sh. Something like it. Is that possible? Thank you very much.
I’m sorry, my own testing locally suggests the apache plugin does actually renew the webserver, even after the new certificate is issued, when also using the installer part of the plugin. I’m not sure if this is by design and if you can rely on this for potentially future changes.
By using certonly with the general --nginx (or --apache) option, you’re telling certbot to use the nginx (or apache) plugin as “installer” plugin too, even if the certificate doesn’t actually get installed into nginx (because you told certbot not to by the certonly). In this case the webserver does get reloaded after renewal.
If you use -a nginx instead of --nginx, you’re telling to only use the authenticator part of the nginx plugin. This would result in not reloading the webserver after renewing. In that case, you would need a hook to reload the webserver.
No, as the documentation states:
These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.)
You can however specify a hook on the command line per certificate. It gets stored in the certificates renewal configuration file.
Dear Osiris, Thanks for the detail explanation again. (Btw, I spent a lot of time trying to figure out how to quote your message like what you did, but failed.)
I think -a nginx is what I am looking for. I also found out the file /etc/letsencrypt/renewal/domain.conf, I think I can change installer = nginx to something else to avoid auto nginx reload.
I also googled and people use pre_hook = and post_hook = under [renewalparams] section for per cert hook scripts. But unfortunately, I can not find anything related to [renewalparams] in the official documentation. The offical doc also does not mention pre_hook = option in the conf file, I am not sure if it’s deprecated or not. Cheers.
As far as I know, you can just use the command line options when renewing/issuing and it gets stored in the renewal configuration file. Personally, I have not used hooks, so I have little experience with them.
Cool. Got it. Thanks a lot for your detail answer, quick reply, kind help, valuable time and patient. I will mark your second reply as the solution since that is actually the one which answered the original question. Cheers.