Certbot auto-renew didn’t work because nginx wasn’t reloaded


Two sites on my server (Debian on nginx) are using certbot SSL certificates and I was greeted with a browser notice that one of them was expired. Certbox creates a cron job to do automatic renewal of the SSL and it works, but an nginx reload needs to occur afterward for the new cert to take effect. This is not automatically configured when you install Certbot, which creates this cron job at /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

To solve, add this at the end of the cron job command so have nginx reloaded after each successful SSL renewal

--renew-hook "/etc/init.d/nginx reload"

The final cron command is

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "/etc/init.d/nginx reload"

Alternatively, you can add a line for each domain separately under the renewalparams section of the file /etc/letsencrypt/renewal/yourdomain.com.conf:

[renewalparams]
renew_hook = service nginx reload

Leave a comment

Your email address will not be published. Required fields are marked *