Snap.certbot.renew.service --post-hook

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/toddpovilaitis.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/toddpovilaitis.com/privkey.pem
    Your certificate will expire on 2021-08-01. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run "certbot renew"

My web server is (include version):

  • HAProxy 1.8.23

The operating system my web server runs on is (include version):

  • Centos Stream 8 (kernel: 4.18.0-269.el8.x86_64)

My hosting provider, if applicable, is:

  • N/A

I can login to a root shell on my machine (yes or no, or I don't know):

  • Yes. Deployment is automated with Terraform and Ansible.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

  • No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

  • snap certbot 2.49-2.el8 with certbot-dns-route53

I need to add two steps "post-hook" after the successful renewal and download of new certs to complete the automated process.

  • concatenate fullchain.pem and privkey.pem into haproxy.pem
  • restart/reload haproxy

snap.certbot.renew.service, has this command:

ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew

Do I just append a --post-hook command (e.g., run this shell script) to the current/existing ExecStart command?

1 Like

Hi @todd.povilaitis,

This is probably better as --deploy-hook rather than --post-hook (a --deploy-hook is run only when a new certificate was successfully obtained).

It's probably better to re-run your certbot certonly command on the command line with the additional --deploy-hook at the end. You may also need to add --force-renewal. After this, the deploy hook should be saved in /etc/letsencrypt/renewal/toddpovilaitis.com.conf and should be used automatically when certbot renew is run by systemd.

You could also edit /etc/letsencrypt/renewal/toddpovilaitis.com.conf yourself and add

deploy_hook = /my/script/path

in the bottom section.

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I see that @schoen has already given you excellent advice. I just want to contribute a few words of caution about --force-renewal. While it is necessary to use --force-renewal to have the renewal configuration updated properly when making configuration changes, it should never be used inside of an automated context like a cron job. The actual function of --force-renewal is to cause certificates to be replaced/renewed even if they are nowhere near expiration. Improper use can (and often does) result in hitting the duplicate certificate rate limit of 5 certificates covering the same (sub)domain names per rolling week.

1 Like

Hi @schoen,

Thanks for clarifying the "hook" behaviors. So, if I just add --deploy-hook /my/script/path to my initial command, I should be good to go.

1 Like

Yep, but you'll need to either add --force-renewal (for updating the configuration only) or tell certbot to update the certificate when asked. Certbot will only save your new parameters if a certificate is actually acquired.

Here's an improved command:

certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d "toddpovilaitis.com,toddpovilaitis.net,toddpovilaitis.org,toddpovilaitis.info,*.toddpovilaitis.com,*.toddpovilaitis.net,*.toddpovilaitis.org,*.toddpovilaitis.info" --deploy-hook /my/script/path --force-renewal

Hi @griffin,

Thanks for the tip. Had this been more troublesome, I would have used the staging server(s). But I managed to get 99% of the way there on just a couple of passes.

I'll just touch up my Ansible code, then do one final redeploy - next week (just in case I've hit this week's limit). After all, I have a working system today. It's just the renewal 2 months from now that needs tweaking.

1 Like

You probably already know the following things, but I'll state them just in case you don't as they're great to have in your toolbelt. :slightly_smiling_face:

  • You can use https://crt.sh to find all the certificates you have been issued for any domain name. Be sure to select the "deduplicate" option if you want the precertificates to not be included in the list. This is immensely helpful for avoiding hitting the rate limits.
  • You can use --dry-run with certonly and renew (but not run, silly enough) to test your commands. This is greatly important when testing renewal.
  • You need to use --force-renewal without --dry-run to test the deployment hook.

@griffin

I didn't know about https://crt.sh. Thank you. I'll take a look.
I've tested renew with --dry-run. OK.
And you have to actually go through with a renewal in order for the deploy hook to fire.

All good info. Thanks.

1 Like

Yep, but you can use certbot renew --force-renewal rather than waiting 2 months. If that works, your cron renewal will likely work in two months.