Certbot post-renewal/post-deploy hook in cron job

Question

On a mail server I need to reload Dovecot after Certbot renews my Let's Encrypt certificates. According to the Certbot documentation a --deploy-hook can be used:

Command to be run in a shell once for each issued certificate.

I found the cron job that was created automatically at /etc/cron.d/certbot, and with the help of of certbot and this question I figured I would use:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "service dovecot reload"

The problem is, Docecot does not appear to restart. Certificate renewal is still successful. My question: How to make sure Dovecot is reloaded after certificate renewal?

Addition information: Server runs on Ubuntu 18.04.3 LTS with Certbot 0.31.0.

I would expect a full path name for "service" in your deploy-hook, i.e., "/usr/sbin/service dovecot reload". — Ole Wolf, Nov 02 '20 at 10:59
And also, what if you change `reload` to `restart`? try `--deploy-hook "systemctl restart dovecot"` — , Jan 02 '21 at 08:27

score 0 · Answer 1 · answered Dec 30 '20 at 13:42

0

Would --post-hook instead of --deploy-hook work ? If so, deploy-hook will also work, but only in case of actual renewal. maybe try this syntax as well :--deploy-hook="restart app..."

answered Dec 30 '20 at 13:42

MeMow

282
1
7

score 0 · Answer 2 · answered Feb 14 '22 at 17:18

Due to a lack of a comprehensive answer, I want to add the solution I went with after stumbling over this thread.

According to readthedocs.io:

When Certbot detects that a certificate is due for renewal, --pre-hook and --post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script

Derived from that, the "--deploy-hook" parameter expects a path to a script. I did not test if a quoted command would work as well, but it is my first guess that this is why your attempt failed.

You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand.

This is how I did it. I simply created a shell script in /etc/letsencrypt/renewal-hooks/deploy, called it e.g. 00-do-stuff.sh and made it executable (sudo chmod +x path/to/file)

Please let me and everybody know if this works for you :)

Certbot post-renewal/post-deploy hook in cron job

2 Answers2