Restart Apache 2.4 in crontab after renewing letsencrypt certs with


Active Member

Reaction score: 14
Messages: 125

Hello everyone,

Is it possible to restart www/apache24 from crontab after successfully renewing letsencrypt certs with security/

This is what I have now (run each night 03:00):

* 3 * * * /usr/local/sbin/ --cron >> /var/log/acme.cron.log

Thank you,



Reaction score: 586
Messages: 1,262

look for reloadcmd and point to your .sh script that will reload or restart all services that are using certificate.

I personally use certboot with -posthook with the same .sh script for reloading postfix/apache/dovecot etc.

For apache and dovecot you need restart (not reload) for postfix you can use reload to refresh the certificate.



Reaction score: 25
Messages: 58

Of course. Even if security/ doesn't handle hooks like security/py-certbot you can add to your cronjob --reload-cmd "service apache24 force-reload" as recommended by documentation.

Your cronjob should be then (not tested though as i'm using security/py-certbot):
* 3 * * * /usr/local/sbin/ --cron --reloadcmd "service apache2 force-reload" >> /var/log/acme.cron.log

Edit: oops caught up by VladiBG 🤪


New Member

Reaction score: 7
Messages: 15

I do it through pre and post hooks as recommended by certbot, this is for my mail server, but you get the idea.

30 1 * * 7 /usr/local/bin/certbot renew -q --rsa-key-size 4096 --pre-hook '/usr/sbin/service postfix stop && /usr/sbin/service dovecot stop' --post-hook '/usr/sbin/service postfix start && /usr/sbin/service dovecot start'

Just noticed, you're using acme, my bad :S


Son of Beastie

Reaction score: 2,171
Messages: 3,008

Don't many of these tools block until completion?

So just run the tool, then the next command after a ; in the cron entry.


Active Member

Reaction score: 14
Messages: 125

Everything is working as expected, except the restart of Apache 2.4.

This is what I have right now:

0 03 * * * /usr/local/sbin/ --cron --reloadcmd "service apache24 restart" >> /var/log/acme.cron.log

Can't find any "resume" in Apache logs when a certificate is renewed.

Any ideas?


Aspiring Daemon

Reaction score: 421
Messages: 728

Don't put the reloadcmd in the cronjob! configure the command specifically for that certificate in the corresponding ~/<domain>/<domain>.conf file if you didn't already specified --reloadcmd at first cert creation. But beware - the entry is usually base64 encoded!
The easiest and safest way to update configs would be to --force a recreation of the cert (and config). This way you will immediately know if it works, not in a few weeks when the cert runs out because you botched something in the config...

Instead of directly issuing certs via command line (if you don't use configmanagement/orchestration already), write a small script for it, so you can easily re-issue, extend or change the certificate and its options later. I usually name those scripts after the service or jail they are destined for, and put them inside the folder. E.g. one of my scripts from one of my mailservers:
export DO_API_KEY="<secretkey>" --force --issue --dns dns_dgon --dnssleep 20 -d nginx1.<mymailserverdomain> -d <mymailserverdomain> --keylength ec-384 \
--cert-file "/iocell/jails/b157ed8a-9b9d-11e8-a0d3-3d48bcff2e2c/root/usr/local/etc/nginx/ssl/cert" \
--key-file "/iocell/jails/b157ed8a-9b9d-11e8-a0d3-3d48bcff2e2c/root/usr/local/etc/nginx/ssl/key" \
--fullchain-file "/iocell/jails/b157ed8a-9b9d-11e8-a0d3-3d48bcff2e2c/root/usr/local/etc/nginx/ssl/fullchain" \
--reloadcmd "service -j ioc-b157ed8a-9b9d-11e8-a0d3-3d48bcff2e2c nginx restart"
Instead of '--force' you might want to use '--test' to check if the reloadcmd works. '--test' will run the command against the LE testing servers and not count against the rate limit.
Only use '--force' against the actual letsencrypt servers if you have to re-issue the cert earlier than the usual ~90 day period (e.g. to change parameters like domains or keylenght) and you've already '--test'ed the command works, otherwise you might hit the rate limit and have to wait up to 24h to get a working certificate.

The crontab for entry only contains a single call to with the --cron parameter, which automatically goes through all configs and does the right thing™:
@daily               /usr/local/sbin/ --cron --home "/root/" > /dev/null
The 'reloadcmd' doesn't belong in the crontab! If it is interpreted at all (never tried that...), it would be executed for _all_ cert renewals, not only the apache related cert!