2

We have the following setup: multiple linux server with Ubuntu 20.04 and 22.04. Hosted on this servers are website for our customers. We using certbot to generate or renewal certificates. As webserver we using nginx.

The certificates are generated with the following command:

certbot --webroot-path /path/to/webroot -d domain.name

For the renewal the following cronjob is executed:

certbot -q --post-hook "service nginx reload" renew'

This setup was working like charm until last year december. But recently the post hook is not working anymore

service nginx reload

So certbot successfully requests the certificate and write the new certificate into the store. But with the reload command the nginx is not using the new certificate.

I debugged the behaviour and all of the following commands are not loading the new certificate:

nginx -t && nginx -s reload
/etc/init.d/nginx reload
systemctl reload nginx
nginx -s reload
nginx -t -q && nginx -s reload

Only a hard restart of the service helps and then the new certificate is used:

systemctl restart nginx

I could not find any information regarding this behaviour. Are there any other admins with the same problem. I would dislike to keep restarting the service. To prevent downtime and interruptions after renewal.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
premar
  • 21
  • 2
  • 1
    Is your nginx config pointing to the correct certificate file? – Gerald Schneider Mar 30 '23 at 09:26
  • Yes, the path to the certificate and private pem is always the same. As stated the certificate in the directory gets renewed. That means the old certificate in the path is overridden by the new certificate. But the nginx server is not loading the new certificate after reload. It still uses the certificate from the memory. Only the hard restart of the nginx service prompts to load the new certificate from the path. – premar Mar 30 '23 at 14:02
  • 1
    Apparently we are the only ones with the problem at the moment. Therefore, as a workaround, I have now adjusted the hook as follows: `systemctl restart nginx`. And moved the renewal to a late edge time. Not the best solution, but one that works at the moment. – premar Apr 06 '23 at 06:37
  • any luck with proper solution? – mirkobrankovic May 25 '23 at 10:00
  • No, still working with the restart after the renewal. – premar May 31 '23 at 06:58
  • If the line in the config pointing to the certificate does not change then nginx will not reload the certificate. If the line in the config pointing to the certificate does change, for instance when the cert name changes, then nginx will load the new certificate into memory. – Charles D Pantoga Jul 25 '23 at 12:26

0 Answers0