Lets Encrypt certificate failed to renew

Posted on May 19, 2018 at 9:36 am

On a VPS I noticed that Lets Encrypt certificate failed to automatically renew correctly. After some research, I noticed that this issue was caused due to the certbot/letsencrypt script that didn’t execute the “post-hook” code (to reload the web server) after the certificate was renewed. Infact the certificate was renewed according to letsencrypt logs:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/mywebsite.com.conf
Cert not yet due for renewal
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mywebsite.com/fullchain.pem (skipped)
No renewals were attempted.

But the web server was not reloaded!

A quick fix to make sure the site recognizes the cert is to reload the web server:

/etc/init.d/nginx reload

Then to fully fix this issue (for future renewals) I removed this line from /etc/crontab:

# Lets Encrypt
0 */12 * * * root certbot renew --webroot --noninteractive --post-hook "service nginx reload"

* It was redundant due to /etc/cron.d/certbot

Then I modified /etc/cron.d/certbot by adding the post-hook code:

# /etc/cron.d/certbot: crontab entries for the certbot package
# Upstream recommends attempting renewal twice a day
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --post-hook "service nginx reload"

This is the post-hook code added:

--post-hook "service nginx reload"

That’s all.

Alternatively you can keep your code on /etc/crontab and remove the file:


Receive updates via email

Other Posts

Updated Posts