[Certbot-dev] Hook Directories

Jacob Hoffman-Andrews jsha at eff.org
Mon Sep 18 17:00:37 PDT 2017

Thanks for the details!

On 09/18/2017 04:25 PM, Brad Warren wrote:
> 1. Someone using Certbot installed through their distro package manager
> that includes a crontab for running "certbot renew" and wants to set
> hooks to run for all certificates. Currently, their options are:
>   a) Add the hooks to Certbot's INI configuration file. This has the
> downside of overwriting any hooks defined per lineage and also causes
> the hooks to be run for subcommands like certonly and run.
>   b) Modify the crontab. This also causes per lineage hooks to be
> overwritten and prevents clean updates to newer versions of the crontab.
>   c) Edit every lineage's renewal configuration so these global hooks
> (and any lineage specific hooks) are run.

Could this be solved instead by having a global config for Certbot that
sets default values for certain flags? For instance, right now
--renew-hook defaults to the empty string. But what if an OS packager
could default it to "run-parts /etc/ssl/renew-hooks.d/" ? The global
defaults approach would also be a nice solution to the question about
log rotation defaults, since OS packagers that know there is a logrotate
config could set the --max-log-backups flag appropriately.

> 2. A developer or package maintainer who wants to automatically
> configure hooks to run for their users when Certbot renews a
> certificate. For example, a server we don't have a plugin for may ship
> with a deploy hook for reloading the server or pre and post hooks for
> stopping and starting the server for use with standalone.

I think this only works if the package is part of an OS, and so the
package maintainer knows exactly where to put the hooks. So I think the
idea above would also work for this case.

More information about the Certbot-dev mailing list