[Server] Setup Let's Encrypt free SSL cert auto-renew but still got expired certificate notice on browser

Most of my websites equipped with Let's Encrypt free SSL certificate. I setup the automatically renewal on my server. However, surprisingly, my browser told me it's expired. I went back to check the cert files on my server, it's indeed with new date.

The reason for browser not seeing the renewed certs, is because web servers (nginx in my case) only read certs at starting, even the certificate has been renewed, the web server needs to reloading to get the correct certificate, otherwise it will use the old one until restart.

It's very simple to have nginx restart reload certificate after every successful renewal. We can change certbot's config file by adding the following line to /etc/letsencrypt/cli.ini

deploy-hook = systemctl reload nginx

It will let certbot to reload nginx after every it renews a certificate, not every time the certbot renewal check runs.

To verify that the hooks are working, you can run certbot renew --dry-run. The result will show you if the deploy-hook option is picked up by certbot.

Leave a Comment