# have to restart apache after certbot renew



## susannej (Dec 2, 2019)

Hello,

just a question, I came accross the situation, that after the daily certbot-renew command, my apache for the website and the dovecot one for Imap access has to be restarted to get access to the new certificate.  Otherwise I got the webpage unsafe error message. (I restarted postfix, too, without looking into the logfiles before, just to be safe...)

Do I have to extend the cron-job to restart them in the future if the certificate is renewed, or do you think I miss something in my configuration?

Just a bit puzzled at the moment ...

Thanks in advance, susanne.


----------



## anlashok (Dec 2, 2019)

You can always drop a short shell script into the /usr/local/etc/letsencrypt/renewal-hooks/deploy/ folder. Scripts in there only get run after a successful renewal. I've got one that simply restarts Apache and sends me an email to tell me it renewed ok.

Alternative add the following flag to the cron job --deploy-hook [cmd to run]


----------



## susannej (Dec 3, 2019)

Ah, that's great. Thanks a lot!


----------



## SirDice (Dec 3, 2019)

If/when the certificates change the service that uses them typically has to be restart or reloaded in order for the new certificates to become active.


----------



## susannej (Dec 4, 2019)

SirDice said:


> If/when the certificates change the service that uses them typically has to be restart or reloaded in order for the new certificates to become active.


That was something that I wasn't aware of. I thought that the services would monitor the modification or creation date in those cases.

Thanks a lot!


----------



## VladiBG (Dec 4, 2019)

under root account
`crontab -e`
`30 4 * * 7 /usr/local/bin/certbot renew --deploy-hook "service apache24 restart"`

p.s.
if you need to restart more that one service like postfix then make .sh script or use &&


----------



## SirDice (Dec 4, 2019)

susannej said:


> I thought that the services would monitor the modification or creation date in those cases.


Most of the time they don't, I can't think of one that does, so it's best to assume you have to restart. A lot of times you can use _reload_ instead of _restart_ though. The difference is that a restart often actually stops the whole service, then starts it again, so there's a small window where the service is unavailable. A _reload_ leaves everything running but reloads its configuration. This is often enough for the changed certificates to be picked up.


----------



## susannej (Dec 12, 2019)

Thanks a lot to all of you!

I end up with 3 scripts in */usr/local/etc/letsencrypt/renewal-hooks/deploy/*

```
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:26 reload_apache24.sh
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:27 reload_dovecot.sh
-rwxr-xr-x  1 root  wheel  67 Dec 12 15:27 reload_postfix.sh
```

with the following content:

```
#!/bin/sh
service `echo $0|sed -e 's/.*\/\(.*\)_\(.*\).sh/\2 \1/'`
```


----------



## SirDice (Dec 12, 2019)

Nice solution. You can improve it by making one script and hardlink (ln(1)) the others. No need to have three (or more) copies of the same file.


----------

