Why does certbot not reload if it does run the deploy hook?

#1

I ran sudo certbot certonly --deploy-hook "service nginx reload" --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com , and then tested if it would renew and reload using sudo certbot renew --force-renewal --cert-name example.com

Part of the output reads Running deploy-hook command: service nginx reload and a line down New certificate deployed without reload

But why without reload? Certbot just told me it ran “service nginx reload” but than denies reloading.
Checking the live server I do indeed see that the web-server was not reloaded.

As a side question: What is the difference between using --renewal-hook and --deploy hook ?

My web server is (include version):
nginx 1.14.12

The operating system my web server runs on is (include version):
Debian 9.8

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.10.2

#2

The “deployed without reload” is a standard sentence of the certonly command. This in contrast with the run command (most of the time left out entirely of the full CLI command) in combination with the apache or nginx installer. When one of those plugins is used, apache or nginx will be reloaded automatically due to the process of the installing.

When using the certonly command, such installation won’t be happening and therefore, certbot announces a successful certificate issuance, but without a reload. This is independent of the --deploy-hook command. Certbot doesn’t have any clue to the contents of anything in the deploy hook. You choose to use a reload command. But anyone else might have some other role for the hook. Certbot doesn’t know and doesn’t care.

Therefore, the line you’re seeing about the lack of reloading must be seen completely independent of the use of the deploy hook.

But certbot did run the service nginx reload command. Any chance that command is in error?

You can learn all about the hooks in the certbot manual on https://certbot.eff.org/docs/using.html

2 Likes
#3

Got it.
needed to be run as root (sudo service nginx reload) and nginx was throwing an unrealted error I had to resolve before it would reload. Thanks.

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.