Help wanted for automatic-renewal

I prefer using Cloudflare DNS plugin to generate wildcard SSL cert at NGINX server.

I had cron rule

14 5 * * * /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1

After few month or days, I see …

I can solve by typing reboot when this occur but is there anyway I can prevent from keep happening?

Thanks

1 Like

Does that command work?

Not sure if you mean
A: to stop the problem from happening (“FIX”)
B: or looking for a way to overcome it (“WORKAROUND”)

If A, then you need to find a command that works to reload NGINX when a cert is renewed or find the reason it is failing; start by removing the --quiet.
If B, then you have many options… You could introduce an additional cron job that can reload/restart NGINX at any interval less than the time between the latest renewal and the expiration of the currently in use cert.

1 Like

Hi,

Let me rephrase my original query.

  • I am using Ubuntu 18.04x64
  • I obtain Let’s Encrypt SSL via Cloudflare DNS plugin
  • Internally, it seems SSL certificate renew automatically
  • I see NET::ERR_CERT_DATE_INVALID
  • When I reload nginx or reboot, then I see different issue and expiry date of cert in the web browser compared to earlier cert.

My question is

  • Does certbot automatically renew and reload NGINX config as well?

If yes, maybe I can smoothly use Let’s Encrypt SSL without issues.

1 Like

It renews by default.
It does not reload the web service by default.
But your cron job shows the inclusion of:

which is how certbot would try to reload nginx when a cert was renewed.

So we need to understand why that call fails.
For that, please show the output of:
sudo /usr/sbin/service nginx reload
Or if there are any other errors preventing that call from even being executed.
For that, we can remove the --quiet from the cron job and review the logs after it runs (without it).

2 Likes

If it renew automatically that’s great.
Then, can I keep below rule to reload NGINX config everyday?

0 0 * * *  /etc/init.d/nginx reload >/dev/null 2>&1

My assumption is that

  1. certbot will renew
  2. and reload nginx config everyday to ensure latest cert reflect quickly as possible
1 Like

If it works, yes.
[test it first]

2 Likes

Yes, I tested with short period of time, it worked for me at Ubuntu 20.04 x64. Thanks for your support.

2 Likes

3 Likes

That means you can change:

to just:

14 5 * * * /usr/bin/certbot renew --quiet > /dev/null 2>&1
2 Likes