How to Restart Your Server After Certbot Certificate Renewal

by Evan Chu-Ali

Renewing your SSL certificates using Certbot is only part of maintaining secure HTTPS connections. Equally important is ensuring that your web server or application recognizes and loads the newly renewed certificates. Certbot automatically handles this for common servers like Apache and Nginx when configured correctly—but if you're running an application server like ASP.NET or Apache Tomcat, you'll need to manage server restarts manually or via automation scripts.

Why Server Restarts Are Necessary

When Certbot renews your SSL certificate, it updates the certificate files on disk. However, many servers or applications load SSL certificates into memory only at startup or during specific reload actions. Without a proper reload or restart, your server continues to use outdated certificates, potentially causing connection issues or downtime despite successful renewal.

Automatic Restarts with Certbot

Certbot provides built-in options to restart or reload popular web servers automatically:

  • Apache: Certbot typically restarts or reloads Apache automatically if configured with the --apache plugin.
  • Nginx: Similarly, Certbot reloads Nginx with the --nginx plugin.

You can verify or manually set these configurations during initial certificate issuance:

sudo certbot --apache
# or
sudo certbot --nginx

Manually Restarting or Reloading Application Servers

For application servers such as ASP.NET, Apache Tomcat, or others, Certbot doesn't provide built-in restart options. In these cases, you'll need to set up a custom restart mechanism using Certbot's hook system:

Using Certbot’s --deploy-hook

The easiest way is using Certbot’s --deploy-hook in the recurring renewal command (either in a timer or cron job), which executes a command or script every time a renewal occurs:

sudo certbot renew --deploy-hook "systemctl restart my_server"

Replace my_server with your specific server service name.

Using Renewal Hook Directories

Another robust approach is placing scripts into Certbot's renewal hook directories. Scripts placed here run automatically during renewals:

  • Deploy Hook Directory: /etc/letsencrypt/renewal-hooks/deploy/
    • Create an executable script (e.g., restart-app.sh) to restart your server:
#!/bin/bash
systemctl restart my_server

Make it executable and ensure appropriate permissions:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-app.sh
sudo chmod 755 /etc/letsencrypt/renewal-hooks/deploy/restart-app.sh

This ensures your application server restarts after every successful certificate renewal.

Confirming Your Configuration

Always confirm your configuration by running a Certbot renewal test:

sudo certbot renew --dry-run

Keeping SSL Smooth and Seamless

Properly restarting servers after certificate renewal ensures your service remains secure and uninterrupted. Whether through automatic Certbot integrations or custom renewal hook scripts, a robust renewal and restart strategy is essential to keeping your services secure and online, but things can (and do) still go wrong! For more reliability, use a certificate monitoring service like CertNotifier to receive alerts when renewals fail and certificates approach expiration.