If you run Letsencrypt SSL Certs on your servers and use certbot you probably know what I'm talking about. In the past I had it several times that the cert itself was renewed but the webserver, for whatever readon, didn't reload. Causing the website to report a expired certificate, even it's not. As soon as I did a manual NGINX Reload it workend.
In the Past I use a Cronjob to trigger certbot's autorenew with the renew hook Paramanter, unfortunately this seems not always to work fine.
/usr/bin/certbot renew --renew-hook "systemctl reload nginx"
The correct way; Some time ago certbot added hook directories, executing Scripts placed in them. If you look at /etc/letsencrypt/renewal-hooks/ you should find three directories. pre, post and deploy. We're interested in deploy, scripts in there are triggered by new deployed certs and renewed certs. The post hook will be triggered after each execution, no matter if there was a cert created or not.
NGINX reload Hook
Create a file and put the following script into:/etc/letsencrypt/renewal-hooks/deploy/01-nginx.sh
#!/bin/bash
# Script to check NGINX Config and if runable reload Nginx
# called by certbot hook after new certificate was deployed or renewed
# place into:
# /etc/letsencrypt/renewal-hooks/deploy/01-nginx.sh
# more info:
# https://tcpip.wtf/en/letsencrypt-auto-nginx-reload-on-renew-hook.htm
set -e
# TESTING Config
TMP=$(mktemp /tmp/check.XXXXXXXXXX) || { echo "Failed to create temp file"; exit 1; }
/usr/sbin/nginx -t 1>>$TMP 2>>$TMP
if grep -q "test is successful" $TMP
then
# Config OK
echo Config OK, reloading...
if $(pidof systemd >/dev/null)
then
systemctl reload nginx
else
/etc/init.d/nginx reload
fi
else
echo Config ERROR!
fi
rm $TMP>/dev/null 2>/dev/null
Actually that's it. Your certbot renew cron should now automatically tirgger a nginx reload after a certificate was renewed.
