Certbot + nginx + automatic renewal

ferenczy · November 22, 2017, 6:51pm

Hi,

I have a question regarding the automatic certificate renewal in a combination with nginx server.

I have used certbot certonly --webroot command to get the certificate, something like:

cerbot certonly --webroot -w /var/www/example.com -d example.com

Nginx virtual host references certificates in /etc/letsencrypt directory directly:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Everything is working good.

As the last step, I wanted to configure the automatic renewal as a cron job. First, I have checked if the renewal works using the dry run: certbot renew --dry-run. But when I wanted to create a cron job, I noticed that it already exists in the file /etc/cron.d/certbot with the following content:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

So it runs every 12 hours. That’s fine but it’s not reloading nginx so it won’t load the new certificate. I haven’t used the nginx plugin so certbot is not even aware I’m using nginx.

What should I do, please? Simply delete the existing cron job and create a new one with --post-hook="service nginx reload? Won’t certbot re-create the default cron job?

Thank you.

jmorahan · November 22, 2017, 7:47pm

If you’re using the latest version of certbot, there’s a directory /etc/letsencrypt/renewal-hooks/deploy where you could drop in a script to do the reloading.

Ten-Taken · November 23, 2017, 6:25am

Here is the documentation on hooks.

If I recall, /deploy hooks only fire if renewal is successful, while /post hooks will fire regardless.

For the hook scripts, stick with #!/bin/sh . I think I ran into trouble when using bash scripting. Also, I had to chmod executable permissions on the scripts, so it seems like Certbot doesn’t explicitly invoke a shell to execute them. Also note that none of the hooks fire on a –dry-run , so you’ll have to test with a –force-renewal flag to test your hooks.

I can’t comment on deleting the cron job, as I use systemd.timers to run services in my environment…but the hooks should solve your problem.

system · December 23, 2017, 6:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.