Ubuntu 16.04 LTS has automatic letsencrypt cron job. Problem is the cron job doesn't reload nginx too. How to fix?

Is there a recommended way to add “sudo systemctl restart nginx” on the cron job?

I’ve seen people throw it into the /etc/cron.d/certbot - is this a good practice?

Also one noob question about cron jobs: Are they only executed after the system has been fully launched or is it also run while the system is launching? (I ask because one reason “while launching” could be a problem is you wouldn’t know that “restart nginx” would work as nginx might not be loaded yet.)

You can supply the --post-hook option to certbot when obtaining a certificate, and it will run the command you specify if it actually gets the certificate. For example (I'm assuming you're using the webroot plugin):

sudo certbot certonly --webroot -w /var/www -d example.com --post-hook "systemctl restart nginx"

Certbot will remember this option (it's stored in the file /etc/letsencrypt/renewal/example.com.conf) and will run the same command again when the cron job runs certbot renew. You can also edit that file manually, to add a line like

post_hook = systemctl restart nginx

in the [renewalparams] section.

The post-hook option is better, because it only restarts nginx when a certificate was actually renewed, rather than every time the cron job runs.

It depends on the operating system. Some have a defined order in which daemons (such as crond and nginx) are started. Others try to start everything in parallel. I think Ubuntu 16.04 is one of the latter? However I wouldn't worry too much about it - if nginx hasn't started then the challenge will fail anyway, so it won't matter if the post-hook fails to restart it as there will be no new certificate to pick up anyway. (EDIT: I previously said the post-hook wouldn't even run if the challenge failed, but that's not correct. I was probably thinking of --renew-hook. Sorry)

2 Likes

And as far as I know a reload is enough to load the new certificates. So a post_hook = systemctl reload nginx should be enough - and faster than a full restart. Please correct me if reload is not enough.

1 Like

Thank you, I'll put a reload in there instead and see if it works - I'll find out in 3 months :slight_smile:

Excellent! Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.