Does renewing change the certificate/key files?

Hi, I’m using certbot to generate a certificate/key for use with NodeJS as a standalone server. When I renew the certificate, will this actually change the files privkey.pem and cert.pem (which would require my server to restart)?

Or does the renewal mean the same files (loaded on the server) are valid for another 90 days?

The file “cert.pem” will always change on renewal.

The most obvious files, and the ones Certbot would advise you to use, are actually softlinks. When renewal occurs, Certbot will create a new key (by default at least, you might be able to switch this off) and obtain a new certificate. It would need the new certificate even if the key didn’t change because certificates are signed public documents, the dates are baked inside them. The new cert (and key) are in New files, but the softlinks are updated to point to them.

Most Unix type software has the concept of “reload” in which the software continues handling old connections but in parallel it “forks” to lead the new configuration and begin serving any new connections with that configuration. So hopefully your node.js setup can just use reload. Certbot has a feature called “hooks” which can run commands whenever a renewal actually happens, so check the documentation for how to use those.

1 Like

Thanks so much for the information, it is not ideal but will work! You’re right, I will use --deploy-hook for this.

Thanks for the info, you’re right I could hotswap them using a system called SNI, but I think it will be better to just use --deploy-hook and live with 5s of downtime.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.