Let’s Encrypt: Reload Nginx after Renewing Certificates

Today I had an incident which caused my webserver to serve expired certificates. My blog relies on Let’s Encrypt for SSL/TLS certificates, which have to be renewed every 3 months. Usually, the cronjob which runs certbot --renew takes care of it automatically. However, there is one step missing, the server must reload the renewed certificates. Most of the time, the server gets reloaded often enough so everything is okay, but today, its been a quite a while since the last time since the nginx server was restarted, so expired certificates were served and the blog became unavailable.

To workaround it, we can make sure nginx reloads it configuration after each successful certificate renewal. The automatic renewal is defined in /etc/cron.d/certbot. The default contents under Debian Jessie are as follows:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

The last line makes sure certificate renewal runs twice a day. Append --renew-hook "/etc/init.d/nginx reload" to it, so it looks like this:

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "/etc/init.d/nginx reload"

The --renew-hook runs the next argument after each successful certificate renewal. In our case we use it to reload the nginx configuration, which also reloads the newly renewed certificates.

4 thoughts on “Let’s Encrypt: Reload Nginx after Renewing Certificates

  1. Isaak

    Hi

    Thanks for your instruction on how to restart Nginx ONLY after a successful renewal of certificates. All the websites I’ve checked talk about automatic restarting the web server, which is very inefficient if you do an automatic renewal of your certificates once or twice a day.

    Your solution is interesting, but can you tell me if that’s compatible with the letsencrypt tool that is available in Ubuntu 16.04 (as instructed on https://certbot.eff.org/#ubuntuxenial-nginx)? If not, can you give a little more information on how to set it up in this kind of environment?

    Thank you in advance

  2. Alix Axel

    You can also pass a --renew-hook "service nginx reload" to your certbot certonly --webroot call and it will be automatically executed in the renewal configuration. No need to manually edit the CRON file.

  3. Ashley Snowdon

    Alix Axel has the correct idea here. If you have already created your certificates, then you can add the following in your domain renewal config under [renewalparams]:

    /etc/letsencrypt/renewal/yourdomain.com.conf:

    [renewalparams]
    renew_hook = service nginx reload
    

Leave a Reply

Your email address will not be published. Required fields are marked *