I ran sudo certbot certonly --deploy-hook "service nginx reload" --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com , and then tested if it would renew and reload using sudo certbot renew --force-renewal --cert-name example.com
Part of the output reads Running deploy-hook command: service nginx reload and a line down New certificate deployed without reload
But why without reload? Certbot just told me it ran “service nginx reload” but than denies reloading.
Checking the live server I do indeed see that the web-server was not reloaded.
As a side question: What is the difference between using --renewal-hook and --deploy hook ?
My web server is (include version):
nginx 1.14.12
The operating system my web server runs on is (include version):
Debian 9.8
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.10.2
The "deployed without reload" is a standard sentence of the certonly command. This in contrast with the run command (most of the time left out entirely of the full CLI command) in combination with the apache or nginx installer. When one of those plugins is used, apache or nginx will be reloaded automatically due to the process of the installing.
When using the certonly command, such installation won't be happening and therefore, certbot announces a successful certificate issuance, but without a reload. This is independent of the --deploy-hook command. Certbot doesn't have any clue to the contents of anything in the deploy hook. You choose to use a reload command. But anyone else might have some other role for the hook. Certbot doesn't know and doesn't care.
Therefore, the line you're seeing about the lack of reloading must be seen completely independent of the use of the deploy hook.
But certbot did run the service nginx reload command. Any chance that command is in error?
Got it.
needed to be run as root (sudo service nginx reload) and nginx was throwing an unrealted error I had to resolve before it would reload. Thanks.