loading...
Cover image for Let's Encrypt certificate renewal without downtime

Let's Encrypt certificate renewal without downtime

booyaa profile image Mark Sta Ana Originally published at booyaa.wtf on ・2 min read

Photo by Erica Nilsson on Unsplash (cropped)

Warning: this blog post assumes the following:

  • you are running nginx in a Docker container.
  • Let’s Encrypt has been configured correctly in the nginx container.
  • You are awesome for reading this blog.

The default behaviour of certbot (Let’s Encrypt’s command line tool) is to restart the web server. This isn’t desirable in a live environment, ideally you want your web server to reload it’s configuration. For nginx, this involves sending a signal to the process, in this case it’s HUP (hangup).

But how can you tell that your certificates have been renewed?

The recommended way by NGINX (the organisation rather than the web server) is to check the PIDs (Process Ids) before triggering nginx to reload the configuration.

docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID                 PPID                COMMAND
2089                31208               tail -f /var/log/nginx/access.log
3509                31222               nginx: worker process
31222               31208               nginx: master process nginx -g daemon off;

The PID you want to observe is nginx worker process (COMMAND) which is in this example is 3509.

Pro-tip: You can pass docker top subcommand ps flags? Neat huh?

Now let’s send a HUP signal to the container to force nginx to reload the configuration: docker kill —signal HUP <NGINX_CONTAINER_ID>

Then re-check PIDs

docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID                 PPID                COMMAND
2089                31208               tail -f /var/log/nginx/access.log
3643                31222               nginx: worker process
31222               31208               nginx: master process nginx -g daemon off;

The PID of the nginx worker process has now changed to 3643!

Further reading:

Posted on by:

booyaa profile

Mark Sta Ana

@booyaa

He/Him/Dat Boi. SRE for an Agribiz SaaS Startup. Terrorizing Azure with Terraform. Rusticating Windows.

Discussion

pic
Editor guide
 

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...