Let's Encrypt certificate renewal without downtime

Photo by Erica Nilsson on Unsplash (cropped)

Warning: this blog post assumes the following:

• you are running nginx in a Docker container.
• Let’s Encrypt has been configured correctly in the nginx container.
• You are awesome for reading this blog.

The default behaviour of certbot (Let’s Encrypt’s command line tool) is to restart the web server. This isn’t desirable in a live environment, ideally you want your web server to reload it’s configuration. For nginx, this involves sending a signal to the process, in this case it’s HUP (hangup).

But how can you tell that your certificates have been renewed?

The recommended way by NGINX (the organisation rather than the web server) is to check the PIDs (Process Ids) before triggering nginx to reload the configuration.

docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID                 PPID                COMMAND
2089                31208               tail -f /var/log/nginx/access.log
3509                31222               nginx: worker process
31222               31208               nginx: master process nginx -g daemon off;

The PID you want to observe is nginx worker process (COMMAND) which is in this example is 3509.

Pro-tip: You can pass docker top subcommand ps flags? Neat huh?

Now let’s send a HUP signal to the container to force nginx to reload the configuration: docker kill —signal HUP <NGINX_CONTAINER_ID>

Then re-check PIDs

docker top <NGINX_CONTAINER_ID> axw -o pid,ppid,command | egrep '(nginx|PID)'
PID                 PPID                COMMAND
2089                31208               tail -f /var/log/nginx/access.log
3643                31222               nginx: worker process
31222               31208               nginx: master process nginx -g daemon off;

The PID of the nginx worker process has now changed to 3643!

Further reading:

• Controlling nginx