I have self hosted NodeJS backend.
It is running on windows server, behind nginx reverse proxy.
I have let's encrypt installed via Certbot, with automatic renewal.
Everything was working without a problem until first renewal.
Yesterday certificate sucessfully renew, but since then, our iOS app calls didn't get through nginx.
When I tried call to backend with POSTMAN for test, everything worked as expected, so I believe initial setup is not problematic..
After I restarted nginx service manually, immediately started working again.
Does this behaviour sound familiar to someone? Please help.
Where to look next, so I can prevent something like this happen after next cert renewal?
A certificate renewal is actually an entirely NEW certificate [with the same name(s) as the current one].
There is no automatic transition from one certificate to another certificate or a date extension to an existing certificate.
As stated, anything using an existing cert must be instructed to use the newer one.
How that is done is generally by service restarts/reloads; as the files used by those services are usually just merely links that should always point to the latest cert.
[YMMV - different ACME clients work in different ways. There is no rule that must be followed there.]
--post-hook may run after each attempt to even check for required renewals. --deploy-hook should only run after a certificate has actually been renewed.
As @rg305 says, --deploy-hook would probably be the better option. Also, most servers have the ability to reload their configuration without restarting (and therefore breaking any connections in progress). The exact command varies, but service nginx reload would be a good place to start.
A cron job to periodically restart/reload nginx really isn't a good solution.
