nginx not reloading certificate after renewal

premar

3/30/24, 9:15 AM

We have the following setup: multiple linux server with Ubuntu 20.04 and 22.04. Hosted on this servers are website for our customers. We using certbot to generate or renewal certificates. As webserver we using nginx.

The certificates are generated with the following command:

certbot --webroot-path /path/to/webroot -d domain.name

For the renewal the following cronjob is executed:

certbot -q --post-hook "service nginx reload" renew'

This setup was working like charm until last year december. But recently the post hook is not working anymore

service nginx reload

So certbot successfully requests the certificate and write the new certificate into the store. But with the reload command the nginx is not using the new certificate.

I debugged the behaviour and all of the following commands are not loading the new certificate:

nginx -t && nginx -s reload
/etc/init.d/nginx reload
systemctl reload nginx
nginx -s reload
nginx -t -q && nginx -s reload

Only a hard restart of the service helps and then the new certificate is used:

systemctl restart nginx

I could not find any information regarding this behaviour. Are there any other admins with the same problem. I would dislike to keep restarting the service. To prevent downtime and interruptions after renewal.

730

0 + 6

nginx

ssl-certificate

certbot

Gerald Schneider

3/30/24, 9:26 AM

Is your nginx config pointing to the correct certificate file?

premar

3/30/24, 2:02 PM

Yes, the path to the certificate and private pem is always the same. As stated the certificate in the directory gets renewed. That means the old certificate in the path is overridden by the new certificate. But the nginx server is not loading the new certificate after reload. It still uses the certificate from the memory. Only the hard restart of the nginx service prompts to load the new certificate from the path.

premar

4/6/24, 6:37 AM

Apparently we are the only ones with the problem at the moment. Therefore, as a workaround, I have now adjusted the hook as follows: `systemctl restart nginx`. And moved the renewal to a late edge time. Not the best solution, but one that works at the moment.

mirkobrankovic

5/25/24, 10:00 AM

any luck with proper solution?

premar

5/31/24, 6:58 AM

No, still working with the restart after the renewal.

Charles D Pantoga

7/25/24, 12:26 PM

If the line in the config pointing to the certificate does not change then nginx will not reload the certificate. If the line in the config pointing to the certificate does change, for instance when the cert name changes, then nginx will load the new certificate into memory.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: nginx not reloading certificate after renewal

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.