I’ve set up a bunch Let’s Encrypt certificates for my web hosting clients using certonly --webroot. I have a certbot renew cron job that runs weekly.
After an automatic renewal is run, is it necessary that I reload the Apache config each time? Because I noticed that one client was getting “this site isn’t secure” message from their browser when visiting their website, and I was, too. When I checked their certificate via certbot certificates I could see that their certificate was valid for 61 more days. But after reloading the Apache config (httpd -t), it cleared up and is working fine now without having changed anything else.
I’m running Apache 2.4.6 on a CentOS 7.7 server with Certbot 1.3.0. I have root access to my server and don’t use a control panel.
Yes, but only when the cert is actually renewed (not on every renewal check).
You can use a post validation trigger to run your apache reload script.
Look at the --deploy-hook option,
you should add --deploy-hook "systemctl reload httpd" or something similar to your cronjob. (ideally, you should only run it once for the right certificate – but it’s not an issue if you only have one certificate)
(running your job weekly is not enough, you should go for daily)
What kind of script would I add systemctl reload httpd.service to and then place in the /etc/letsencrypt/renewal-hooks/deploy/ folder? That’s essentially what I need to do if a certificate has been renewed.