I'm using certbot --webroot plugin and certbot renew to renew the certificate, which does work, but it looks like httpd is caching the certificate and does not "see" that it's been updated.
Is there a signal for httpd to reload the certificates?
p.s. I prefer not to restart httpd to avoid downtime.
To get httpd to notice the new certificates you need to request that it do a "graceful restart". From the docs :
The USR1 or graceful signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they're not serving anything). The parent re-reads its configuration files and re-opens its log files. As each child dies off the parent replaces it with a child from the new generation of the configuration, which begins serving new requests immediately.
As such a graceful restart won't cause downtime.
In order to get letsencrypt/certbot to trigger a graceful restart use the --post-hook argument. This argument will run a command once if any cert renewal was attempted. From the docs:
Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate. (default: None)
So the command you would want is
certbot renew --post-hook "apachectl graceful"
or if run from a cron job
certbot renew --quiet --post-hook "apachectl graceful"
(Thanks to @RustyX for help with this answer)
