certbot: Use --deploy-hook to get the cert actually served.

Certbot replaces the cert files under /etc/letsencrypt/live/, which our nginx config refers to symlinks to; but it doesn't tell nginx there's been an update, so nginx keeps serving the old cert. This is fine as long as nginx is restarted, or just told to reload its config, at some point before the cert actually expires about 30 days later. Which is probably the common case, but of course we should make it just work. So, if we actually renew a cert, tell nginx to reload its config now.
2025-11-02 04:53:36 +00:00 · 2017-11-15 13:57:10 -08:00
parent ae901309fc
commit 84f956f5f1
1 changed files with 2 additions and 1 deletions
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@@ -16,4 +16,5 @@ if ! zulip_conf_get_boolean certbot auto_renew; then
 fi

 /usr/local/sbin/certbot-auto renew --quiet \
-  --webroot --webroot-path=/var/lib/zulip/certbot-webroot/
+  --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
+  --deploy-hook 'service nginx reload'