serverpilot-letsencrypt icon indicating copy to clipboard operation
serverpilot-letsencrypt copied to clipboard
verified publisher icon lesaff

new certificate deployed without reload

Open brettburwell opened this issue 8 years ago • 6 comments

When renewing an existing certificate I'm seeing the following message in my logs: new certificate deployed without reload

When I double check the certificate at a service like sslchecker.com it confirms that the new certificate hasn't taken hold yet.

The initial install worked great, the crontab is up and running, and there aren't any other errors or messages in the log. Is there something else I might be missing / needing to do?

brettburwell avatar May 22 '17 14:05 brettburwell

I find this happens sometimes for me also,

If I log onto the server and manually refresh the service for nginx, it starts to use the new cert. It's as if the reload the script does is ignored or run too soon.

Perhaps the script needs a small sleep/delay before reloading nginx?

On Mon, May 22, 2017 at 3:05 PM, Brett Burwell [email protected] wrote:

When renewing an existing certificate I'm seeing the following message in my logs: new certificate deployed without reload

When I double check the certificate at a service like sslchecker.com https://www.sslchecker.com/ it confirms that the new certificate hasn't taken hold yet.

The initial install worked great, the crontab is up and running, and there aren't any other errors or messages in the log. Is there something else I might be missing / needing to do?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lesaff/serverpilot-letsencrypt/issues/39, or mute the thread https://github.com/notifications/unsubscribe-auth/AE5wnGA8Dk_OC-lu_WFP1p_XLuXiOXikks5r8ZY8gaJpZM4NiZ3a .

-- Kind Regards, Chris Rose Mobile: +44 (0) 7595 526 416

caroseuk avatar May 22 '17 14:05 caroseuk

Thanks for chiming in @caroseuk. I don't have any experience with bash scripts, so I wouldn't be able to say with much confidence, but the idea makes sense.

It seems like this might related to issue #32 that you reported and issue #24 that someone else reported.

brettburwell avatar May 22 '17 15:05 brettburwell

I haven't ran into this issue yet. I'll run some tests on this. Thx for reporting the problem.

lesaff avatar May 23 '17 16:05 lesaff

Thanks @lesaff. In case it's helpful, I'm seeing this on Ubuntu 16.04.

brettburwell avatar May 23 '17 17:05 brettburwell

I managed to get around this problem by updating my cron job with:

--post-hook "service sp-nginx reload"

This makes sure that the nginx config is reloaded after successful renewals. By using reload, it doesnt stop the service, so no downtime to end users :)

caroseuk avatar Jun 09 '17 07:06 caroseuk

FWIW, #42 does not work reliably for us on a number of server pilot servers & apps.

Observed:

  • Let's Encrypt certificate is renewed.
  • nginx does not reload the newly renewed certificate.

Hypothesis:

  • The letsencrypt renewal does not properly return a 0 exist status when it executes a renewal, or it sends the status too early...
  • The && executes too quickly, thus nginx reloads before the new cert is written to disk.

A couple notes:

  • This is on Ubuntu 16.04.
  • I used deadmanssnitch.com to watch the cronjob... sure enough it did not successfully checkin using the letsencrypt renew && service nginx-sp reload cron.

janson avatar Jul 24 '18 15:07 janson