No sensible way to add delay when using DNS challenge with --manual-auth-hook

[lbdroid]

My operating system is (include version):

Rocky Linux 8.0

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

snap

I ran this command and it produced this output:

--manual --preferred-challenge dns -d dom1,dom2,dom3,dom4,dom5,dom6,dom7,dom8 --manual-auth-hook auth-hook --manual-cleanup-hook cleanup-hook

Certbot's behavior differed from what I expected because:

A certain amount of time is required in order for the DNS updates made by auth-hook to propagate through my DNS servers (via nsupdate and NOTIFY to a secondary server). Approximately 5 seconds is usually adequate from the time that auth-hook is called the last time for the last domain. While I can (and currently do) put a 5 second delay into auth-hook, it adds up to a total of 40 seconds for 8 domains even though 5 seconds is adequate if called after the final run.

I have attempted to use --pre-hook, but it apparently runs BEFORE --manual-auth-hook. There doesn't appear to be any single-run hook available between --manual-auth-hook and actually running.

I would like to be able to be able to inject a single delay of configurable length for after all manual auth hooks run, and before the actual run.

[wgreenberg]

If I'm understanding your situation correctly, couldn't your auth-hook script check for when CERTBOT_REMAINING_CHALLENGES is 0, and only trigger the delay then?

[lbdroid]

Oh perfect. I didn't realize that was an option. Thank you very much!