3

Every three months, my Let's Encrypt certificate expires, and my customers get an invalid https certificate.

So I recently placed the following cron task :

@weekly certbot renew --quiet && service nginx reload

From my understanding, when certbot renew successfully update the certificate, it returns a success state (exit(0)), so the && is followed, and so nginx is reloaded.

Yes but it doesn't work. I recently had my server showing again an expired certificate, so I certainly misunderstood something, and/or my cron task is not good.

Could you show me the path please? :)

Cyril N.
  • 624
  • 1
  • 10
  • 36

1 Answers1

5

better approach is use --renew-hook which can call script. Also --no-self-upgrade is good option for automatic renew, this option prevent updates during renewal which can broke somethig

cron record can be 

certbot renew --quiet --no-self-upgrade --renew-hook /path/to/hook.sh

hook.sh

#!/bin/sh
set -e
nginx -t -q && nginx -s reload
exit 0

This script is called only when renew action happens and not every week

full explanation is in man page or in documentation

Quantim
  • 1,358
  • 10
  • 15
  • 2
    `--renew-hook` flag has been deprecated in recent versions of certbot. You should move your renew script into `/etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx` - see https://www.guyrutenberg.com/2017/01/01/lets-encrypt-reload-nginx-after-renewing-certificates/ for more details. – Dmytro Zavalkin Feb 26 '20 at 08:31
  • Documentation for the renewal hooks: https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates – mousetail Nov 30 '21 at 09:27