Skip to content

NGINX not properly reloaded after certificate generation

Mam taki problem, że certbot odświeżył certyfikat, ale NGINX nadal podaje stary:

$ openssl s_client metrics.apl.task.gda.pl:443 <<< "" 2>&1 | openssl x509 --dates --text | grep -iE "(Not after|Subject: CN)"
Not After : Jul 17 01:37:48 2023 GMT
Subject: CN = metrics.apl.task.gda.pl

$ openssl x509 -in /etc/nginx/certs/metrics.apl.task.gda.pl.crt  --dates --text | grep -iE "(Not after|Subject: CN)"
Not After : Sep 26 23:37:39 2023 GMT
Subject: CN = metrics.apl.task.gda.pl

Na stg mam dokładnie to samo, co więcej, certbot stwierdza, że odnowił:

Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: RSYNC_LOGS:
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: cd+++++++++ archive/stg.metrics.apl.task.gda.pl-0007/
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ archive/stg.metrics.apl.task.gda.pl-0007/cert1.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ archive/stg.metrics.apl.task.gda.pl-0007/chain1.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ archive/stg.metrics.apl.task.gda.pl-0007/fullchain1.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ archive/stg.metrics.apl.task.gda.pl-0007/privkey1.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ csr/0029_csr-certbot.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ keys/0029_key-certbot.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: cd+++++++++ live/stg.metrics.apl.task.gda.pl-0007/
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ live/stg.metrics.apl.task.gda.pl-0007/README
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ live/stg.metrics.apl.task.gda.pl-0007/cert.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ live/stg.metrics.apl.task.gda.pl-0007/chain.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ live/stg.metrics.apl.task.gda.pl-0007/fullchain.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ live/stg.metrics.apl.task.gda.pl-0007/privkey.pem
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: >f+++++++++ renewal/stg.metrics.apl.task.gda.pl-0007.conf
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: Certificate will not expire
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: Certificate for stg.metrics.apl.task.gda.pl is UP TO DATE
Jul 10 01:37:10 metrics02.stg.metrics.apl.task.gda.pl certbot_certificates.sh[2377722]: Copying files and executing renew command

Po odpaleniu "ręcznie" usługi nginx_certbot.service i wymuszeniu odświeżenia certyfikatu wszystko działa.

Edited by Tomasz Ziółkowski