Renew letsencrypt certificate on Apache httpd
To get httpd
to notice the new certificates you need to request that it do a "graceful restart". From the docs :
The USR1 or graceful signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they're not serving anything). The parent re-reads its configuration files and re-opens its log files. As each child dies off the parent replaces it with a child from the new generation of the configuration, which begins serving new requests immediately.
As such a graceful restart won't cause downtime.
In order to get letsencrypt/certbot to trigger a graceful restart use the --post-hook
argument. This argument will run a command once if any cert renewal was attempted. From the docs:
Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate. (default: None)
So the command you would want is
certbot renew --post-hook "apachectl graceful"
or if run from a cron job
certbot renew --quiet --post-hook "apachectl graceful"
(Thanks to @RustyX for help with this answer)
Related videos on Youtube
rustyx
Updated on September 18, 2022Comments
-
rustyx almost 2 years
I'm using
certbot
--webroot
plugin andcertbot renew
to renew the certificate, which does work, but it looks likehttpd
is caching the certificate and does not "see" that it's been updated.Is there a signal for
httpd
to reload the certificates?p.s. I prefer not to restart
httpd
to avoid downtime. -
rustyx almost 8 yearsThanks for pointing out the error in my solution! I deleted it.
-
malhal over 7 yearsIs there an option to only use the post hook if it successfully renewed the cert?
-
gene_wood over 7 years@malhal The
--post-hook
only triggers if the cert was renewed. If no renewal is needed it doesn't trigger. -
Jérôme over 5 yearsAFAIU, the
--post-hook
command is run only if a renewal was attempted (but not if the certificate was still valid and renewal was skipped). The--deploy-hook
is run only if the renewal was successful. -
Jérôme over 5 yearsStill AFAIU,
--deploy-hook
was added in version 0.17, released in July 2017, after your answer and your comment above.