On Sat, Aug 26, 2017 at 1:40 AM, Ian Zimmerman <i...@very.loosely.org> wrote: > > I don't understand the letsencrypt certbot renewal process, specifically > the hooks. > > I have two certificates: one for webserver, one for mailserver. I got > them only very recently so I until now the renewal cronjob has always > been a no-op, but the real thing will happen very soon. When it does, > presumably I need to have both daemons restarted so that they read the > renewed certificates. So, how do I do this? Right now my cronjob is > just > > certbot renew -n --standalone --preferred-challenges tls-sni > > which should renew any and all certificates when they're "close" to > expiring. But the documentation doesn't say if I can have multiple > --pre-hook and --post-hook options and what the semantics would be. The > closest it comes is: > > When renewing several certificates that have identical pre-hooks, only > the first will be executed. > > which doesn't make any sense: what does it mean for a certificate to > "have" a pre-hook? The pre-hook is just there on the command line, > there is no association with a particular certificate that a machine > could infer. > > The cop-out solution is to have a single pre-hook and a single > post-hook, which stop (resp. start) both daemons, but that is ugly. How > do people handle this?
I just need to restart apache, so my daily cron job is: certbot renew --standalone --quiet \ --pre-hook 'systemctl stop apache2.service' \ --post-hook 'systemctl start apache2.service' With systemd, I just need one command to stop/start/restart several services. With OpenRC I suppose you could do: certbot renew --standalone --quiet \ --pre-hook '/etc/init.d/apache2 stop && /etc/init.d/postfix stop' \ --post-hook '/etc/init.d/apache2 start && /etc/init.d/postfix start' The documentation says that the hooks are "command to be run in a shell", so it should work. Another solution is to have a simple script: # Controls apache and postfix: /usr/local/bin/certbot-aux if [ $# != 1 ]; then echo 'Need a parameter' exit 1 fi /etc/init.d/apache2 ${1} /etc/init.d/postfix ${1} And then the cron job is: certbot renew --standalone --quiet \ --pre-hook '/usr/local/bin/certbot-aux stop' \ --post-hook '/usr/local/bin/certbot-aux start' Regards. -- Dr. Canek Peláez Valdés Profesor de Carrera Asociado C Departamento de Matemáticas Facultad de Ciencias Universidad Nacional Autónoma de México