Certificate 1st automatic renewal problem - iOS app don't work until manual nginx restart

I have self hosted NodeJS backend.
It is running on windows server, behind nginx reverse proxy.
I have let's encrypt installed via Certbot, with automatic renewal.
Everything was working without a problem until first renewal.
Yesterday certificate sucessfully renew, but since then, our iOS app calls didn't get through nginx.
When I tried call to backend with POSTMAN for test, everything worked as expected, so I believe initial setup is not problematic..
After I restarted nginx service manually, immediately started working again.

Does this behaviour sound familiar to someone? Please help.
Where to look next, so I can prevent something like this happen after next cert renewal?

Thank you,

Services using a certificate need to be reloaded after renewal for the new certificate to be known to the service.


Hi @nejc, welcome to the LE community forum :slight_smile:

A certificate renewal is actually an entirely NEW certificate [with the same name(s) as the current one].
There is no automatic transition from one certificate to another certificate or a date extension to an existing certificate.
As stated, anything using an existing cert must be instructed to use the newer one.
How that is done is generally by service restarts/reloads; as the files used by those services are usually just merely links that should always point to the latest cert.
[YMMV - different ACME clients work in different ways. There is no rule that must be followed there.]

1 Like

Thank you for replying. I understand.
I did some search now on this matter and there are few approaches how to solve this.

Some are solving this with chron job, there is also --post-hook "service nginx restart",..

Is there an aproach which is most used, works best, or is simply "the right one".

1 Like

--post-hook may run after each attempt to even check for required renewals.
--deploy-hook should only run after a certificate has actually been renewed.

The second seems better suited to your needs.

1 Like

As @rg305 says, --deploy-hook would probably be the better option. Also, most servers have the ability to reload their configuration without restarting (and therefore breaking any connections in progress). The exact command varies, but service nginx reload would be a good place to start.

A cron job to periodically restart/reload nginx really isn't a good solution.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.