Renew with nginx reload through crontab

[LavrentyevAlexander]

Hi!
I'm running cronjob for renewing certificate:

6 0 * * * 0 export -- 'cat /opt/lego/credentials/XXX.env' && /opt/lego/lego --path /opt/lego --email XXX --dns cloudflare -d "XXX" renew --renew-hook="nginx -s reload"

The certificate is renewed but nginx won't reload. Manually reloading works.
What could be the reason?

[Saklad5]

I believe renew-hook only accepts the path of a file to execute.

I do precisely this, but I have nginx -s reload in a separate executable script.

I'd also recommend running Lego under the user the certificates are meant for, which would be the Nginx user in this case. This minimizes the attack surface of your certificates (since Nginx needs to read them anyway), and allows the application in question to be reloaded without running as a superuser or something similarly stupid.

---

You should also make sure the exact renewal time is randomized to avoid undue load on the certificate authority. Some versions of Cron support this directly: if yours doesn't, use sleep $RANDOM.

[Saklad5]

crontab

0       0       *       *       [pick a day of the week]       sleep $RANDOM && $HOME/auto-renew

auto-renew

#!/usr/bin/env ash

for domain in [expunged list of domains]; do
        RFC2136_NAMESERVER=[expunged] \
        RFC2136_TSIG_KEY=[expunged] \
        RFC2136_TSIG_ALGORITHM=[expunged] \
        RFC2136_TSIG_SECRET=[expunged] \
        lego --email [expunged] --dns rfc2136 --domains $domain renew --must-staple --no-random-sleep --renew-hook=./auto-reload &
done

wait

auto-reload

#!/usr/bin/env ash

nginx -s reload

[Saklad5]

Oh, and if you need the certificates in PKIX-EE (1) or DANE-EE (3) TLSA records (if clients connect to the server directly through A/AAAA records rather than MX/SRV/SVCB/HTTPS/etc., you probably do), then remember to use --reuse-key.