Most of my websites equipped with Let's Encrypt free SSL certificate. I setup the automatically renewal on my server. However, surprisingly, my browser told me it's expired. I went back to check the cert files on my server, it's indeed with new date.
The reason for browser not seeing the renewed certs, is because web servers (nginx in my case) only read certs at starting, even the certificate has been renewed, the web server needs to reloading to get the correct certificate, otherwise it will use the old one until restart.
It's very simple to have nginx restart reload certificate after every successful renewal. We can change certbot's config file by adding the following line to
deploy-hook = systemctl reload nginx
It will let certbot to reload nginx after every it renews a certificate, not every time the certbot renewal check runs.
To verify that the hooks are working, you can run
certbot renew --dry-run. The result will show you if the
deploy-hookoption is picked up by certbot.