One hint that may help shed some light: Certbot doesn't use systemd to reload or start nginx. (There's some history behind this behavior).
It tries to reload nginx using:
nginx -c /etc/nginx/nginx.conf -s reload
and if that fails, it tries to start nginx with:
nginx -c /etc/nginx/nginx.conf
The one behavior (that I'm aware of) which doesn't work so well is if nginx is already stopped when you run Certbot:
- Stop nginx
- Run
certbot --nginx - Try restart nginx with
service nginx restart
At (2), nginx fails to send a reload signal using nginx -s reload, so it assumes nginx is not running, and it starts it using nginx -c /etc/nginx/nginx.conf. systemd is not aware of this.
At (3), systemd does not realize that nginx is actually running already (even though the pidfile is present) and tries to start it. nginx fails to start because the ports are occupied by the other instance of nginx. systemd also wipes out the /run/nginx.pid file at (3) which makes the situation worse, since now using nginx to control nginx won't work either, meaning you have to killall nginx to get back to a working state.
It's all a bit ugly and I'm not too sure what is stopping Certbot from controlling nginx with systemd instead, but I will try look into it later in the week.
For now, you can choose from:
- (Recommended) Make sure nginx is running when you run Certbot, or
- Use
nginx -s reloadafter you make your modifications (this will work whether or not nginx was started with systemd), or - Use
--webrootand configure nginx manually.
It's possible also that there is some reason for your trouble other than "nginx was stopped when you ran Certbot" (such as if nginx was crashing during the initial reload attempt), but I think the underlying explanation about systemd would probably still underlie it.