Great post! I can suggest one small improvement if you're interested :-)
# every Monday at 2:35am
35 2 * * 1 service apache2 restart >> /var/log/letsencrypt/le-apache2-reload.log
Instead of unconditionally restarting apache2 weekly you could do two things:
Using service apache2 reload instead of restart will reduce your downtime but still let Apache pick up certificates that have changed on disk.
You can avoid the apache2 restart cron entry all together and use Certbot's --deploy-hook feature of the renew command.
Adding --deploy-hook "service apache2 reload" to your Certbot renew crontab will ensure Apache2 is gracefully reloaded only when a certificate is actually renewed.
Hi Michael,
Great post! I can suggest one small improvement if you're interested :-)
Instead of unconditionally restarting
apache2weekly you could do two things:service apache2 reloadinstead ofrestartwill reduce your downtime but still let Apache pick up certificates that have changed on disk.--deploy-hookfeature of the renew command.Adding
--deploy-hook "service apache2 reload"to your Certbotrenewcrontab will ensure Apache2 is gracefully reloaded only when a certificate is actually renewed.Hope that helps!
Thanks for the suggestion, I didn't know about that flag. That definitely seems like the way to go.
I updated the post with your code example.