I am deploying new certificates for my domains to use on web and email services. To do that, I am using Certbot, a program to create and renew Let's Encrypt certificates.
Every tutorial I've seen requires restarting web (apache) or email services (dovecot).
Does anyone know how to deploy a new certificate for apache or dovecot and start using it without restarting it?
The certbot documentation describes a method for obtaining a certificate without having to restart the webserver, using the webroot plugin: https://certbot.eff.org/docs/using.html#webroot
To summarize, you need to pass in a few extra arguments to the certbot command for your renewal: certonly, --webroot, and --webroot-path or -w. So the full command would look something like this:
certbot renew certonly --webroot -w /var/www/example/ -d www.example.com
According to the docs:
The webroot plugin works by creating a temporary file for each of your requested domains in ${webroot-path}/.well-known/acme-challenge. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot.
This allows Let's Encrypt to perform the domain verification without stopping Apache to bind to port 80, 443, etc.
For Apache 2.4: "apachectl graceful" (aka "reload") does reload the certificates for me (tested with ubuntu 16.04 using 2.4.18-2ubuntu3). The caveat: There is a lot of information on the web that says apache requires a full restart instead of a reload to accept new certificates. Since for me a graceful reload was enough I would say it is possible, perhaps even likely that for older apache versions more than a reload was needed once?
You could make a script that first does the certbot renewal and then apachectl graceful. Or just 2 cronjobs, where the apachectl graceful happens after the certbot cronjob.
This problem is not as bad though IMHO: Letsencrypt will renew the certificates up to 30 days before expiry. Personally I restart my servers more often, because my weekly-run ubuntu autoupdater is configured in "/etc/apt/apt.conf.d/50unattended-upgrades" with "Unattended-Upgrade::Automatic-Reboot "true";" and the chance that it will not have an update that makes it want to reboot for full 30 days is pretty low.
If you don't want reboots, you will have to check your other services (postfix, dovecot come to mind if you also have mail on the server) on what they need to accept a new certificate and then add that to your script that starts "certbot renew".
Certbot has a built in command to renew all your certificates:
certbot renew certonly --webroot -w /var/www/example/ -d www.example.com
If you want to just reload the configuration after you already created a cert, simply run sudo service nginx reload or sudo service apache2 reload. This will reload the configuration without restarting (so without downtime) of your website.
I use this method to automatically renew my Let's Encrypt SSL certificate via cronjob, but it will work for certbot as well. For more detail see Automatically renew Let's Encrypt SSL certificate
