Let’s Encrypt: Reload Nginx after Renewing Certificates

Today I had an incident which caused my webserver to serve expired certificates. My blog relies on Let’s Encrypt for SSL/TLS certificates, which have to be renewed every 3 months. Usually, the cronjob which runs certbot --renew takes care of it automatically. However, there is one step missing, the server must reload the renewed certificates. Most of the time, the server gets reloaded often enough so everything is okay, but today, its been a quite a while since the last time since the nginx server was restarted, so expired certificates were served and the blog became unavailable.

To workaround it, we can make sure nginx reloads it configuration after each successful certificate renewal. The automatic renewal is defined in /etc/cron.d/certbot. The default contents under Debian Jessie are as follows:

# /etc/cron.d/certbot: crontab entries for the certbot package
# Upstream recommends attempting renewal twice a day
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

The last line makes sure certificate renewal runs twice a day. Append --renew-hook "/etc/init.d/nginx reload" to it, so it looks like this:

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "/etc/init.d/nginx reload"

The --renew-hook runs the next argument after each successful certificate renewal. In our case we use it to reload the nginx configuration, which also reloads the newly renewed certificates.

2 thoughts on “Let’s Encrypt: Reload Nginx after Renewing Certificates

  1. Isaak


    Thanks for your instruction on how to restart Nginx ONLY after a successful renewal of certificates. All the websites I’ve checked talk about automatic restarting the web server, which is very inefficient if you do an automatic renewal of your certificates once or twice a day.

    Your solution is interesting, but can you tell me if that’s compatible with the letsencrypt tool that is available in Ubuntu 16.04 (as instructed on https://certbot.eff.org/#ubuntuxenial-nginx)? If not, can you give a little more information on how to set it up in this kind of environment?

    Thank you in advance

Leave a Reply

Your email address will not be published. Required fields are marked *