[Certbot-dev] Hook Directories

[Brad Warren]

In Certbot's next minor release, we are planning on adding hook
directories to Certbot to allow users and package maintainers to add
scripts to be run during certificate renewal by simply placing an
executable file in the appropriate directory. We wanted to post the
proposed design of this system publicly to get feedback on it and to
make sure it covers the majority of the desired use cases. If you are
not already familiar with hooks in Certbot, see the documentation about
the --pre-hook, --deploy-hook, and --post-hook flags found at
https://certbot.eff.org/docs/using.html#renewing-certificates.

The proposed design is to create a directory named something like
"renew-hooks" in Certbot's configuration directory (which is located at
/etc/letsencrypt by default). Inside of this directory are three
additional directories called "pre", "deploy", and "post" where hooks of
each type can be placed. Certbot will create this directories itself if
not already done so by the packaging system that installed Certbot.

When Certbot is run with the "renew" subcommand and there are
certificates due for renewal, all executable files found in these
directories will be run like other hooks of the same type and will run
in addition to any hooks defined through existing means such as the
command line, INI configuration file, or renewal configuration file.
Hooks defined in these directories will not be stored in renewal
configuration files, but they will continue to be run when certificates
are renewed with the "renew" subcommand as long as they remain in the
appropriate directory.

Hooks defined in these directories will only be run with the "renew"
subcommand and will be ignored when running with the "certonly" or "run"
subcommands. If you want to use hooks with these other subcommands, you
will have to define them on the command line or Certbot INI file.

If anyone has any feedback on this plan, we'd love to hear it!