Auto Renew (web server restart) and Rating

    the rating is A, not A+, does that mean it is less secure? why only A? how to fix?

  2. i did auto renew by run the following commands:
    sudo crontab -e and include the content 30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
    but auto renew doesn’t work. Is that because it doesn’t auto restart my web server?
    if so, can i do the following to fix it:

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
certbot certonly -n -d -d

the source is from


With SSL Labs the only difference between A and A+ is if your sending the HSTS header with an age of at least 6 months.

For renewal it depends on the method used to originally obtain the cert. As the documentation states the 1st example only work if you used standalone, as webroot and the nginx plugin require nginx to be running to complete the challenge. In this case you should use "service nginx reload" with --post-hook or --renew-hook. The 2nd example would make no difference on it’s own and would be used as part of a shell script.


in order for the auto renew to work, i was advised that i need to set web server to restart after auto renew.
Should i just add --service nginx restart in between like the following?

sudo crontab -e
30 2 * * 1 /usr/bin/letsencrypt renew --service nginx restart >> /var/log/le-renew.log


Not quite, you need to prefix the service command with --renew-hook and you should use reload instead of restart to have zero downtime. Your crontab entry should therefore be:

30 2 * * 1 /usr/bin/letsencrypt renew --renew-hook service nginx reload >> /var/log/le-renew.log


I think in this example you need quotes around "service nginx reload"; otherwise the client will interpret this as --renew-hook service plus two unrecognized parameters, nginx and reload.


Thank you all of you!!!.
If it is apache2, i assume it shall be
30 2 * * 1 /usr/bin/letsencrypt renew --renew-hook "service apache2 reload" >> /var/log/le-renew.log


That looks right to me.


i did 30 2 * * 1 /usr/bin/letsencrypt renew --renew-hook "service apache2 reload" >> /var/log/le-renew.log to auto renew SSL. however, this past Monday Night i checked /var/log/le-renew.log, there is no such log, is there anything i did was wrong?


This is a system or root crontab, not for a regular user, right?


I think there may be no output when there are no renewal actions to perform, in which case there would be no output in the log.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.