Skip to content

Instantly share code, notes, and snippets.

@wintermeyer

wintermeyer/certbot

Created February 5, 2017 15:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save wintermeyer/400fe8cc0aaf75d21e46349527f7bdfd to your computer and use it in GitHub Desktop.
Save wintermeyer/400fe8cc0aaf75d21e46349527f7bdfd to your computer and use it in GitHub Desktop.
Download ZIP
certbot -q renew --renew-hook "service nginx reload"
Raw
certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "service nginx reload"
@thecjharries
Copy link

As of 0.17, --renew-hook has been replaced with --deploy-hook. So far, it looks like it's a straight-forward facade. However, there's no guarantee it won't be completely removed now that it's changed.

@Freekers
Copy link

Freekers commented Apr 30, 2018
edited

@thecjharries This is fale. --renew-hook has not been replaced by --deploy-hook. --deploy-hook works differently from --renew-hook:

--pre-hook and --post-hook hooks run before and after every renewal attempt. If you want your hook to run only after a successful renewal, use --deploy-hook

Source: https://certbot.eff.org/docs/using.html

@stanvarlamov
Copy link

stanvarlamov commented May 17, 2018
edited

@Freekers correct. Although, down below on the same doc's page it says

--pre-hook PRE_HOOK Command to be run in a shell before obtaining any
certificates. Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed. When renewing several certificates
that have identical pre-hooks, only the first will be
executed. (default: None)

So, will --pre-hook and --post-hook only be called if a certificate is actually to be obtained/renewed, not before and after every renewal attempt ?

Sounds like a renewal attempt is when a certificate is actually to be obtained/renewed. One would think that a check for whether a certificate needs to be renewed at this time is part of a renewal attempt. Apparently, not.
So, basically, the only difference between pre/post and deploy in that sense is based on a chance of renewal failing, not whether it was "required"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment