Apply new certificates without restarting server. Using docker and nginx

Hi, i have https on my web, i put the ssl certificates for first time 3 months ago with certbot. I am using docker containers and i put the path to the certificates in my nginx.conf to create the container. My ssl certs was about to expire 3 of December 2020 so i did this to renew them:

stopped nginx
docker-compose stop nginx

Dry run command:
sudo certbot-auto renew --dry-run

Renew certificates command:
sudo certbot-auto renew

I got the new certificates. OK
sudo letsencrypt certificates
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.31.0 of Certbot. This might not work.

Found the following certs:
Certificate Name:
Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

The path are the same as my nginx.conf so i started nginx container again.
docker-compose -f docker-compose.yml --project-name nginx up -d --build --force-recreate
But i got the old certificates(that expires the next week day 3) not the new one( Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days) ). I searched in internet and saw that i need to restart the server. But this is production server and i prefer not restarting it. Is it any way to use the new certificates without restarting everything using docker containers?

My domain is:

My web server is (include version): nginx/1.15.6

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 0.31.0

certbot-auto --version
certbot 1.9.0

Thanks :smiley:

1 Like

Welcome to the Let's Encrypt Community, Daniel :slightly_smiling_face:

You don't want to restart nginx. You want to gracefully reload nginx.

docker exec -it nginx-server nginx -s reload

... where nginx-server should be replaced with the name of your container (found with docker ps).

You should only need to use one.
I would recommend removing version 0.31.0.

As for:

You should be able to reload nginx (without having to restart it).

1 Like

Good morning. Thank you for the welcome.
I just did this command but the certificates are still the same.

docker exec -it conteiner_id nginx -s reload
2020/11/25 07:12:03 [notice] 8#8: signal process started

the logs of the container:
2020/11/25 07:16:23 [notice] 1#1: signal 1 (SIGHUP) received from 28, reconfiguring
2020/11/25 07:16:23 [notice] 1#1: reconfiguring
2020/11/25 07:16:23 [notice] 1#1: using the "epoll" event method
2020/11/25 07:16:23 [notice] 1#1: start worker processes
2020/11/25 07:16:23 [notice] 1#1: start worker process 33
2020/11/25 07:16:24 [notice] 27#27: gracefully shutting down
2020/11/25 07:16:24 [notice] 27#27: exiting
2020/11/25 07:16:24 [notice] 27#27: exit
2020/11/25 07:16:24 [notice] 1#1: signal 17 (SIGCHLD) received from 27
2020/11/25 07:16:24 [notice] 1#1: worker process 27 exited with code 0
2020/11/25 07:16:24 [notice] 1#1: signal 29 (SIGIO) received


Hi i think bouth solutions(@griffin and @rg305) did the same thing but not worked for me.

I did this :
Enter in docker container console:
docker exec -i -t container_id /bin/bash

Then inside of the container:
nginx -s reload
2020/11/25 07:22:30 [notice] 41#41: signal process started

And i still have the old certificates.

1 Like

Please show the output of:
certbot certificates

And also:
nginx -T |grep -i ssl_cert

In server
sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.31.0 of Certbot. This might not work.

Found the following certs:
Certificate Name:
Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

In docker container:

nginx -T |grep -i ssl_cert
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
here i have certificates of my colegue but they are comented whith #
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

1 Like

They match.
I don't know why your nginx server would still be serving the old cert.
You may not need to reboot the entire server.
But you may need to restart the container that runs nginx.

Unless there are other systems involved, that we haven't heard about...?
Unless the symlinks are "broken" or "inaccurate"...

Please show:
ls -l /etc/letsencrypt/live/

1 Like

I did notice this...

X-Application-Context: gateway-proxy:docker,dev:80

1 Like

I noticed that too and thought...
Why would you want to put that information out there?

But now I wonder if it is coming from that "other involved system, that we haven't heard about".

1 Like

Using nginx as a reverse proxy for the server actually containing the certificate?

In docker container console:
ls -l /etc/letsencrypt/live/
total 8
-rwxr-xr-x 1 root root 3574 Sep 14 11:47 fullchain.pem
-rwxr-xr-x 1 root root 1704 Sep 14 11:47 privkey.pem

In host machine. @griffin

ls -l /etc/letsencrypt/live/
total 4
lrwxrwxrwx 1 root root 44 nov 24 10:18 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 45 nov 24 10:18 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 49 nov 24 10:18 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 47 nov 24 10:18 privkey.pem -> ../../archive/
-rwxrwxrwx 1 root root 692 sep 4 09:54 README

1 Like

Why are those not symlinks!?

sudo certbot update_symlinks

1 Like

It is exactly as I feared, rg305. :worried:

1 Like


Are you using nginx as a reverse proxy?

1 Like

Because he must have copied the files from one system to another.
He should retrace his steps and repeat whatever worked before.
Redo the process so that it is more automated.

1 Like

My guess is imported into docker after September 4 certificate creation from archive created on September 14 with symlinks becoming static files.

Nginx is used a reverse proxy for each component.

1 Like

Then you need to renew the cert in the container that terminates the TLS connections.
[in the proxy container]

1 Like

Let's test... :grin:

ls -l /etc/letsencrypt/archive/

Dollars to doughnuts, rg305, that we won't find the new certificate in the archive in docker.

1 Like