If you run Letsencrypt SSL Certs on your servers and use certbot you probably know what I'm talking about. In the past I had it several times that the cert itself was renewed but the webserver, for whatever readon, didn't reload. Causing the website to report a expired certificate, even it's not. As soon as I did a manual NGINX Reload it workend. 

In the Past I use a Cronjob to trigger certbot's autorenew with the renew hook Paramanter, unfortunately this seems not always to work fine.
/usr/bin/certbot renew --renew-hook "systemctl reload nginx"

The correct way; Some time ago certbot added hook directories, executing Scripts placed in them. If you look at /etc/letsencrypt/renewal-hooks/ you should find three directories. pre, post and deploy. We're interested in deploy, scripts in there are triggered by new deployed certs and renewed certs. The post hook will be triggered after each execution, no matter if there was a cert created or not.
 

NGINX reload Hook

Create a file and put the following script into:
/etc/letsencrypt/renewal-hooks/deploy/01-nginx.sh

#!/bin/bash
# Script to check NGINX Config and if runable reload Nginx
# called by certbot hook after new certificate was deployed or renewed
# place into:
# /etc/letsencrypt/renewal-hooks/deploy/01-nginx.sh
# more info:
# https://tcpip.wtf/en/letsencrypt-auto-nginx-reload-on-renew-hook.htm
set -e
# TESTING Config
TMP=$(mktemp /tmp/check.XXXXXXXXXX) || { echo "Failed to create temp file"; exit 1; }
/usr/sbin/nginx -t 1>>$TMP 2>>$TMP
if grep -q "test is successful" $TMP
then
        # Config OK
        echo Config OK, reloading...
        if $(pidof systemd >/dev/null)
        then
                systemctl reload nginx
        else
                /etc/init.d/nginx reload
        fi
else
        echo Config ERROR!
fi

rm $TMP>/dev/null 2>/dev/null

Actually that's it. Your certbot renew cron should now automatically tirgger a nginx reload after a certificate was renewed.

✉ MG// CEST
Follow Icon