--renew-hook doesn't restart nginx on Debian 8


#1

Hi! I’ve been trying to fix it for a while and checked all the similar questions but still can’t figure it out.

I’m running certbot 0.10.2 on Debian 8.11 with nginx 1.6.2.

My /etc/cron.d/certbot looks like this:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "service nginx reload"

But nginx is never reloaded, so I need to do it manually each 3 months. :frowning:

It’s reloaded when I run this from root:
certbot -q renew --force-renew --renew-hook "service nginx reload"

Also, I can’t find anything relevant to hooks or nginx in /var/log/letsencrypt/ except for:
DEBUG:certbot.main:Arguments: ['--renew-hook', 'service nginx reload']

What could be the problem? Thanks!


#2

Well, if you have systemd (which you do, by default, in Debian 8) then the cron job will be ignored in favour of the systemd timer.

That being said, once you’ve used the --renew-hook successfully once, it should be remembered from then on and used automatically without you having to specify it explicitly each time. Check the configuration in /etc/letsencrypt/renewal/ to see if that happened when you ran the command manually - the renew hook should now appear in the configuration file for the cert(s) you renewed.

(At least, recent versions of certbot do this - I don’t remember whether 0.10.2 did it with the “renew” command or not)


#3

Thank you, yes, it was added to /etc/letsencrypt/renewal/sitename.com after the forced renewal that I ran today. And thanks for the systemd tip – I wasn’t aware of this behavior.


#4

I guess I should clarify that this is not something that is universally true of systemd but rather a consequence of the way the cron job in Debian’s certbot package is written.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.