Reputation: 777
Nginx not taking into account renewed let's encrypt certificates
I have a server running some NodeJs apps (MeteorJs to be precise) on internal ports. I use Nginx to proxy_pass requests that are targeting URLs to the apps.
Let's say app_1 is running on localhost:3000, I would proxy_pass app1.domain.com to localhost:3000 and then add firewall rule to restrict access on port 3000.
Then I add SSL on the incoming connection for app1.domain.com using letsencrypt. I generate certs using certbot certonly -w /var/www/app1 -d app1.domain.com and then set the nginx config file to use it.
Everything works flawlessly until it's time to renew the cert.
To do the renewal, I have the following cron job :
12 6 * * 3 /root/renew.sh
with the following script /root/renew.sh :
certbot renew
service nginx reload
The problem I have is that upon expiration, the nginx webserver is not serving the new certificate !
So I added the following cron job :
30 6 * * 3 service nginx restart
but it still fails to refresh the certificate (which leads to error in navigators, saying connexion is not secure because of cert expiration). So I need to manually log in and reload nginx.
What is wrong in my setup ?
Thanks
Upvotes: 1
Views: 4261
Answers (2)
Reputation: 31
You can set everything in one cronjob line (modified basic setup):
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "nginx -t && systemctl restart nginx"
This cron job is triggered twice every day to check if certificate is getting expired in next 30 days or not. It shouldn't cause performance problems.
If it is getting expired then it will auto renew it quietly without generating output and restart NGINX to apply changes. If certificate is not getting expired then it will not perform any action.
Be aware --deploy-hook argument was added in certbot version 0.17, released in July 2017
Upvotes: 3
Reputation: 777
After more testing, here is the answer to this issue:
Set the cron job to point to a bash script:
12 6 * * 3 /root/renew.sh
And set the bash script like this:
certbot renew
sleep 1m
service nginx reload
Note the presence of the sleep command which allows to wait until the renewal is done
Upvotes: 1
Related Questions
- Issue with Let's Enrypt certificates and auto renewal
- Browser shows letsencrypt certificate expired when it isnt
- let's encrypt certificate renew after expiration
- LetsEncrypt expiration certificate date issue
- how to renew an expired "let's encrypt" certificate?
- certificate from Let's Encrypt fails to renew
- Letsencrypt nginx, renew returns a 404
- Letsencrypt renew error(Ubuntu, Nginx, Node.js)
- Renewal Let's Encrypt certificate in multiple NGINX reverse proxy instances
- Renewal expired SSL certificate not being loaded Nginx