Automating SSL certificate renewal with Certbot is only half of the job; you also need to ensure that your web server loads the new certificates. For most servers, this means restarting them. Certbot assists with handling this for common servers like Apache and NGINX, assuming they are configured in a typical way, but reverse proxy, virtual host, and other advanced configurations will require more care on your part. If you're running a less common setup, such as ASP.NET or an application server, you'll likely need to take advantage of a combination of your own shell scripts and Certbot hooks to ensure your service loads the renewed certs.
Why Server Restarts Are Necessary
When Certbot renews your SSL certificate, it replaces the old files on disk with new ones, however, many applications only load certificates into memory once at startup to avoid the inherent latency of disk IO. Some servers support the ability to reload certificates without a full restart, but many do not. Without either a proper reload or restart, even despite successful renewal, your server will continue to use outdated certificates, which will effectively make your site unavailable to most users.
Automatic Restarts with Certbot
Certbot's built-in Apache and NGINX plugins are designed to do most of the leg work for you, though they can struggle with more advanced configurations.
You can manually enable these plugins during initial certificate issuance, which will also modify the details of automated renewal:
sudo certbot --apache
# or
sudo certbot --nginx
Restarting or Reloading Other Servers
For other servers such as ASP.NET or Apache Tomcat, Certbot doesn't provide built-in restart options. In these cases, you'll need to set up a custom restart mechanism using Certbot's hook system. It's pretty simple if you know your way around the command line, but the necessity of it is not mentioned in most Certbot documentation, so it's a common gotcha.
Using Certbot's --deploy-hook
One solution is using Certbot's --deploy-hook in the recurring renewal command, which executes a command or script every time a renewal actually occurs. The recurring renewal command is usually set up by Certbot to occur daily with either a cron job or a systemd timer depending on the details of your system.
sudo certbot renew --deploy-hook "systemctl restart my_server"
You'll want to modify the command in the crontab or certbot.service file to include the --deploy-hook option and the command to restart your server.
Using Renewal Hook Directories
An even more robust approach is placing scripts into Certbot's renewal hook directories. The benefit of this is that your manual modifications to the configuration won't be accidentally wiped out by either a Certbot update or a new run of certbot.
Create an executable script (e.g., restart_server.sh) to restart your server:
#!/bin/bash
systemctl restart my_server
Make it executable and ensure appropriate permissions:
sudo chmod +x restart_server.sh
sudo chmod 755 restart_server.sh
Place it in the deploy hook directory /etc/letsencrypt/renewal-hooks/deploy/ and it will be run whenever a certificate is successfully renewed, just like the --deploy-hook above.
Confirming Your Configuration
Always confirm your configuration by running a Certbot renewal test:
sudo certbot renew --dry-run
Be sure to include the --deply-hook option if you're using it.
Prepare for Trouble
Whether through built-in Certbot plugins or custom renewal hook scripts, a robust renewal and restart strategy is essential to keeping your services secure and online, but things can (and will) go wrong! Security experts recommend a certificate monitoring service like CertNotifier to receive timely alerts when renewals fail and certificates approach expiration.