If you run Letsencrypt SSL Certs on your servers and use certbot you probably know what I'm talking about. In the past I had it several times that the cert itself was renewed but the webserver, for whatever readon, didn't reload. Causing the website to report a expired certificate, even it's not. As soon as I did a manual NGINX Reload it workend. 

In the Past I use a Cronjob to trigger certbot's autorenew with the renew hook Paramanter, unfortunately this seems not always to work fine.
/usr/bin/certbot renew --renew-hook "systemctl reload nginx"

The correct way; Some time ago certbot added hook directories, executing Scripts placed in them. If you look at /etc/letsencrypt/renewal-hooks/ you should find three directories. pre, post and deploy. We're interested in deploy, scripts in there are triggered by new deployed certs and renewed certs. The post hook will be triggered after each execution, no matter if there was a cert created or not.

NGINX reload Hook

Create a file and put the following script into:

# Script to check NGINX Config and if runable reload Nginx
# called by certbot hook after new certificate was deployed or renewed
# place into:
# /etc/letsencrypt/renewal-hooks/deploy/01-nginx.sh
# more info:
# https://tcpip.wtf/en/letsencrypt-auto-nginx-reload-on-renew-hook.htm
set -e
# TESTING Config
TMP=$(mktemp /tmp/check.XXXXXXXXXX) || { echo "Failed to create temp file"; exit 1; }
/usr/sbin/nginx -t 1>>$TMP 2>>$TMP
if grep -q "test is successful" $TMP
        # Config OK
        echo Config OK, reloading...
        if $(pidof systemd >/dev/null)
                systemctl reload nginx
                /etc/init.d/nginx reload
        echo Config ERROR!

rm $TMP>/dev/null 2>/dev/null

Actually that's it. Your certbot renew cron should now automatically tirgger a nginx reload after a certificate was renewed.


Follow Icon
Don’t miss out and subscribe by email:
Don't worry! NO Spam and FREE; Receive a summarizing email for new posts, easy to unsubscribe at any time.
← Other Blog Posts