Let's Encrypt certificate renewal without downtime
Warning: this blog post assumes the following:
- you are running nginx in a Docker container.
- Let’s Encrypt has been configured correctly in the nginx container.
- You are awesome for reading this blog.
The default behaviour of certbot (Let’s Encrypt’s command line tool) is to restart the web server. This isn’t desirable in a live environment, ideally you want your web server to reload it’s configuration. For nginx, this involves sending a signal to the process, in this case it’s HUP
(hangup).
But how can you tell that your certificates have been renewed?
The recommended way by NGINX (the organisation rather than the web server) is to check the PIDs (Process Ids) before triggering nginx to reload the configuration.
docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID PPID COMMAND
2089 31208 tail -f /var/log/nginx/access.log
3509 31222 nginx: worker process
31222 31208 nginx: master process nginx -g daemon off;
The PID you want to observe is nginx worker process (COMMAND) which is in this example is 3509.
Pro-tip: You can pass docker top
subcommand ps
flags? Neat huh?
Now let’s send a HUP
signal to the container to force nginx to reload the configuration: docker kill —signal HUP <NGINX_CONTAINER_ID>
Then re-check PIDs
docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID PPID COMMAND
2089 31208 tail -f /var/log/nginx/access.log
3643 31222 nginx: worker process
31222 31208 nginx: master process nginx -g daemon off;
The PID of the nginx worker process has now changed to 3643!
Further reading: