22 January 2020

Using Certbot –post-hook to configure Let’s Encrypt Certs for use by multiple services

Certbot discourages modifying files in /etc/letsencrypt/ as this can break things. However some services can not read the certificate and key files with their default permissions of being readable only by root. Also some services (e.g. Haproxy) can only use a combined pem file, and can not load individual cert, chain & key files. Rather than modify the files in /etc/letsencrypt/ I like to copy them to another location and set the specific permissions I need. In addition I combine the Full Chain and the Private Key in to one file. This makes for easier service configuration settings.

Start by creating this post-hook script in /etc/letsencrypt/renewal-hooks/post/

Set permissions to 750 (rwxr-x—):

The script will run automatically each time renewals are attempted. When creating new certs either run the command manually immediately after running certbot:

Or add the –post-hook option to your certbot command to have it run immediately after creating a new cert with something like this:

Now you can configure services to simply load the concatenated pem file instead of having to specify multiple files for the key, cert & chain. For example, an Apache configuration would look something like this:


Posted January 22, 2020 by msb in category "Let's Encrypt

Leave a Reply

Your email address will not be published. Required fields are marked *