This script is a post hook for certbot
which will check all your nginx
config files, validate them, and then reload the NGINX server.
You can follow my detailed howto tutorial on setting up a Debian server over here which contains everyting you need to install, configure and get certbot
up and running on your Debian 10 machine.
If you've followed my instructions above, or you already have a working certbot
application, then your next step is to use my script by configuring certbot
to reload NGINX when it successfully renews certificates.
First create the nginx-reload.sh
post hook file:
$ sudo nano /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
You are going to want to copy the code of the script by clicking here and head on over and paste it in your /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
file.
Once you have the file saved, make it executable and reload nginx.
$ sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
$ sudo nginx -t && sudo systemctl reload nginx
Done. The script is now setup to begin working automatically in the background. Certbot runs a cronjob twice daily and if a certificate is renewed your newly created post hook script will be executed and run.
The script is not intended to be run manually as it's primary use is for certbot to use it as a post hook function when it has finished renewing a domain. That said, you can execute the script manually or via certbot
as follows.
Certbot
With certbot it will be run after the renew command is completed.
$ sudo certbot renew
Manual
This only runs the check and reload.
$ sudo /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Executing the nginx-reload.sh
file without any errors in any of your nginx
config or virtual host files will output the following success messages to your console:
$ sudo /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Removing old log file.
Success: Reloading nginx server.
Similarly, when the certbot
cronjob executes and runs this post hook script the following successful output will be seen.
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Output from nginx-reload.sh:
Removing old log file.
Success: Reloading nginx server.
Executing the nginx-reload.sh
file with an error in either your nginx
config or virtual hosts files will output the following error and log file:
$ sudo /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Removing old log file.
Fail: Error with config file.
Aborting nginx restart.
Log file output:
nginx: [emerg] "worker_connections" directive is not allowed here in /etc/nginx/nginx.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed
Similarly, when the certbot
cronjob executes and runs this post hook script the following output will be seen.
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Output from nginx-reload.sh:
Removing old log file.
Fail: Error with config file.
Aborting nginx restart.
Log file output:
nginx: [emerg] "worker_connections" directive is not allowed here in /etc/nginx/nginx.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed
Hook command "/etc/letsencrypt/renewal-hooks/post/nginx-reload.sh" returned error code 1
MIT https://opensource.org/licenses/MIT
Copyright (c) 2021 Justin Hartman https://justinhartman.co
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
You are most welcome @ynott ;-)