have to restart apache after certbot renew

Hello,

just a question, I came accross the situation, that after the daily certbot-renew command, my apache for the website and the dovecot one for Imap access has to be restarted to get access to the new certificate. Otherwise I got the webpage unsafe error message. (I restarted postfix, too, without looking into the logfiles before, just to be safe...)

Do I have to extend the cron-job to restart them in the future if the certificate is renewed, or do you think I miss something in my configuration?

Just a bit puzzled at the moment ...

Thanks in advance, susanne.
 
You can always drop a short shell script into the /usr/local/etc/letsencrypt/renewal-hooks/deploy/ folder. Scripts in there only get run after a successful renewal. I've got one that simply restarts Apache and sends me an email to tell me it renewed ok.

Alternative add the following flag to the cron job --deploy-hook [cmd to run]
 
If/when the certificates change the service that uses them typically has to be restart or reloaded in order for the new certificates to become active.
 
If/when the certificates change the service that uses them typically has to be restart or reloaded in order for the new certificates to become active.
That was something that I wasn't aware of. I thought that the services would monitor the modification or creation date in those cases.

Thanks a lot!
 
under root account
crontab -e
30 4 * * 7 /usr/local/bin/certbot renew --deploy-hook "service apache24 restart"

p.s.
if you need to restart more that one service like postfix then make .sh script or use &&
 
I thought that the services would monitor the modification or creation date in those cases.
Most of the time they don't, I can't think of one that does, so it's best to assume you have to restart. A lot of times you can use reload instead of restart though. The difference is that a restart often actually stops the whole service, then starts it again, so there's a small window where the service is unavailable. A reload leaves everything running but reloads its configuration. This is often enough for the changed certificates to be picked up.
 
Thanks a lot to all of you!

I end up with 3 scripts in /usr/local/etc/letsencrypt/renewal-hooks/deploy/
sh:
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:26 reload_apache24.sh
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:27 reload_dovecot.sh
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:27 reload_postfix.sh

with the following content:
sh:
#!/bin/sh
service `echo $0|sed -e 's/.*\/\(.*\)_\(.*\).sh/\2 \1/'`
 
Nice solution. You can improve it by making one script and hardlink (ln(1)) the others. No need to have three (or more) copies of the same file.
 
Back
Top