You can find existing renewal configurations and their hooks in this folder:
/etc/letsencrypt/renewal/
Under the [renewalparams]
section of the configuration file, the pre-hook is keyed pre_hook
, and the post-hook is keyed post_hook
. You can change them or create them if they don't exist already.
FWIW, I have a configuration with the nginx
installer and the standalone
authenticator without any hooks on Certbot 0.31, and the new certificate is deployed without restarting nginx.service
at all!
Demonstration:
root@demo [~]# cat /etc/letsencrypt/renewal/demo.deltik.org.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/demo.deltik.org/cert.pem
privkey = /etc/letsencrypt/live/demo.deltik.org/privkey.pem
chain = /etc/letsencrypt/live/demo.deltik.org/chain.pem
fullchain = /etc/letsencrypt/live/demo.deltik.org/fullchain.pem
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/demo.deltik.org
# Options and defaults used in the renewal process
[renewalparams]
installer = nginx
# authenticator = standalone
authenticator = standalone
account = d41d8cd98f00b204e9800998ecf8427e
# pre_hook = systemctl stop nginx.service
# post_hook = systemctl restart nginx.service
server = https://acme-v02.api.letsencrypt.org/directory
root@demo [~]# date
Fri Jun 7 14:42:46 UTC 2019
root@demo [~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.deltik.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/demo.deltik.org/fullchain.pem expires on 2019-08-21 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@demo [~]# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.deltik.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer nginx
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/demo.deltik.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/demo.deltik.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@demo [~]# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-23 15:44:40 UTC; 2 weeks 0 days ago
Docs: man:nginx(8)
Process: 2789 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 2799 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 2790 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 2811 (nginx)
Tasks: 5 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 2811 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─24553 nginx: worker process
├─24554 nginx: worker process
├─24555 nginx: worker process
└─24556 nginx: worker process
May 23 15:44:40 demo systemd[1]: Starting A high performance web server and a reverse proxy server...
May 23 15:44:40 demo systemd[1]: Started A high performance web server and a reverse proxy server.
root@demo [~]# openssl s_client -connect demo.deltik.org:443 &1 | openssl x509 -in - -text -noout | grep -A2 'Validity'
Validity
Not Before: Jun 7 13:43:35 2019 GMT
Not After : Sep 5 13:43:35 2019 GMT
Thanks it worked ! – Antoine – 2019-06-13T10:37:34.173