diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4000d324..17828f75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,7 @@ The **patch** part changes incrementally at each release.
 * removed some deprecations for Ansible 2.7
 * apache: improve permissions in save_apache_status script
 * apt: hold packages only if package is installed
+* certbot: commit hook must be executed at the end
 * elasticsearch: listen on local interface only by default
 * evocheck: upstream version 19.11.2
 * evocheck: cron jobs execute in verbose
diff --git a/certbot/files/hooks/commit-etc.sh b/certbot/files/hooks/z-commit-etc.sh
similarity index 95%
rename from certbot/files/hooks/commit-etc.sh
rename to certbot/files/hooks/z-commit-etc.sh
index f1812762..e543b4ad 100644
--- a/certbot/files/hooks/commit-etc.sh
+++ b/certbot/files/hooks/z-commit-etc.sh
@@ -18,7 +18,7 @@ main() {
 
       if [ "${changed_lines}" != "0" ]; then
           debug "Committing for ${RENEWED_DOMAINS}"
-          ${git_bin} add --all ${letsencrypt_dir}
+          ${git_bin} add --all
           message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
           ${git_bin} commit --message "${message}" --quiet
       else
diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml
index 99574e96..14983504 100644
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@@ -21,3 +21,17 @@
     mode: "0700"
     owner: root
     group: root
+
+- name: Move commit-etc.sh to z-commit-etc.sh if present
+  command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
+  args:
+    removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
+    creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
+
+- name: "certbot lock is ignored by Git"
+  lineinfile:
+    dest: /etc/.gitignore
+    line: letsencrypt/.certbot.lock
+    create: yes
+    owner: root
+    mode: "0600"