[Certbot-dev] Hook Directories

Brad Warren bmw at eff.org
Mon Sep 18 16:25:45 PDT 2017

On 09/18/2017 02:43 PM, Jacob Hoffman-Andrews wrote:
> Can you describe in more detail the use case for the hooks directories?
> Is the idea that there might be multiple different pieces of software
> that all need to be restarted or reloaded on renewal?
Good question! The request for this feature comes from Noah and Harlan's
time at DebConf and these threads:

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838548
* https://github.com/certbot/certbot/issues/3147

To summarize though, people want an easy and automatible way to set
global hooks when using Certbot. The two most common use cases I've
heard are:

1. Someone using Certbot installed through their distro package manager
that includes a crontab for running "certbot renew" and wants to set
hooks to run for all certificates. Currently, their options are:

  a) Add the hooks to Certbot's INI configuration file. This has the
downside of overwriting any hooks defined per lineage and also causes
the hooks to be run for subcommands like certonly and run.
  b) Modify the crontab. This also causes per lineage hooks to be
overwritten and prevents clean updates to newer versions of the crontab.
  c) Edit every lineage's renewal configuration so these global hooks
(and any lineage specific hooks) are run.
2. A developer or package maintainer who wants to automatically
configure hooks to run for their users when Certbot renews a
certificate. For example, a server we don't have a plugin for may ship
with a deploy hook for reloading the server or pre and post hooks for
stopping and starting the server for use with standalone.

Usually these requests come framed as a request for hook directories,
but I explored a couple alternative ways of achieving this functionality
and think the hook directories are simpler and cleaner. I'm definitely
open to other approaches to solving these problems though!

More information about the Certbot-dev mailing list