1

I have a server running some NodeJs apps (MeteorJs to be precise) on internal ports. I use Nginx to proxy_pass requests that are targeting URLs to the apps.

Let's say app_1 is running on localhost:3000, I would proxy_pass app1.domain.com to localhost:3000 and then add firewall rule to restrict access on port 3000.

Then I add SSL on the incoming connection for app1.domain.com using letsencrypt. I generate certs using certbot certonly -w /var/www/app1 -d app1.domain.com and then set the nginx config file to use it.

Everything works flawlessly until it's time to renew the cert.

To do the renewal, I have the following cron job :

12 6 * * 3 /root/renew.sh

with the following script /root/renew.sh :

certbot renew 
service nginx reload

The problem I have is that upon expiration, the nginx webserver is not serving the new certificate !

So I added the following cron job :

30 6 * * 3 service nginx restart

but it still fails to refresh the certificate (which leads to error in navigators, saying connexion is not secure because of cert expiration). So I need to manually log in and reload nginx.

What is wrong in my setup ?

Thanks

4

2 回答 2

3

You can set everything in one cronjob line (modified basic setup):

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "nginx -t && systemctl restart nginx"

This cron job is triggered twice every day to check if certificate is getting expired in next 30 days or not. It shouldn't cause performance problems.

If it is getting expired then it will auto renew it quietly without generating output and restart NGINX to apply changes. If certificate is not getting expired then it will not perform any action.

Be aware --deploy-hook argument was added in certbot version 0.17, released in July 2017

于 2020-05-27T10:41:57.770 回答
1

After more testing, here is the answer to this issue:

Set the cron job to point to a bash script:

12 6 * * 3 /root/renew.sh

And set the bash script like this:

certbot renew
sleep 1m
service nginx reload

Note the presence of the sleep command which allows to wait until the renewal is done

于 2019-01-23T09:07:24.670 回答