Let’s say you want to use Let’s Encrypt for something that isn’t a website. So you download certbot, you get things going with your manual cert, and you realize that when it goes to rotate you will need to restart some services. When you go look through the docs, it’s not very clear on how to do this exactly. So here’s my post to remind myself what I did (and if it helps you as well, then hooray!).

Doctor Tom Saves the Day, by Murray Barnes

What you want to do is configure a hook. They come in three varieties: pre-hooks (commands to run prior to running the re-issue), deploy-hooks (commands to run immediately after the cert is issued but prior to deployment), and post-hooks (commands to be run after deployment). You can find command line options pretty easily, but there is another trick if your system has all the automation built in (say, via the SNAP subsystem).

You will find some options in the /etc/letsencrypt/renewal-hooks directory if you have global commands you want to run. This is an easy way to script actions when your machine is single use. But if you have a web server on the same machine you are running email on, you might not want to run global commands when every certificate renews, just commands for unique to that one certificate.

The way to accomplish this is via the /etc/letsencrypt/renewal/your.cert.name.conf config file. At the bottom of the [renewalparams] section, you want to add the following lines:

# Add this to the /etc/letsencrypt/renewal/your.cert.here.conf
pre_hook = /bin/systemctl stop <ONE OR MORE SERVICES TO STOP, such as 'apache' to ensure you can do the renew>
post_hook = /bin/systemtl start <ONE OR MORE SERVICES TO START, such as 'apache'>; /bin/systemctl restart <ONE OR MORE SERVICES TO RESTART, such as 'dovecot postfix'>

So there you go. Now if you wanted to use letsencrypt certs for email or stunnel, it’s easily accomplished with these options.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: