Great post! I can suggest one small improvement if you're interested :-)
# every Monday at 2:35am
35 2 * * 1 service apache2 restart >> /var/log/letsencrypt/le-apache2-reload.log
Instead of unconditionally restarting apache2 weekly you could do two things:
Using service apache2 reload instead of restart will reduce your downtime but still let Apache pick up certificates that have changed on disk.
You can avoid the apache2 restart cron entry all together and use Certbot's --deploy-hook feature of the renew command.
Adding --deploy-hook "service apache2 reload" to your Certbot renew crontab will ensure Apache2 is gracefully reloaded only when a certificate is actually renewed.
Hi Michael,
Great post! I can suggest one small improvement if you're interested :-)
Instead of unconditionally restarting
apache2
weekly you could do two things:service apache2 reload
instead ofrestart
will reduce your downtime but still let Apache pick up certificates that have changed on disk.--deploy-hook
feature of the renew command.Adding
--deploy-hook "service apache2 reload"
to your Certbotrenew
crontab will ensure Apache2 is gracefully reloaded only when a certificate is actually renewed.Hope that helps!
Thanks for the suggestion, I didn't know about that flag. That definitely seems like the way to go.
I updated the post with your code example.