61

So I'm setting up an nginx server with SSL enabled with a server definition something like:

server {
    listen :80;
    listen [::]:80;
    server_name example.org;
    root /foo/bar;

    ssl on;
    ssl_certificate /path/to/public/certificate;
    ssl_certificate_key /path/to/private/key;

    ...
}

You get the idea (please forgive any typos).

Anyway, what I'm wondering is; if I renew my certificate(s), is there a way to install them without having to restart nginx?

For example, if I were to use symbolic links from /path/to/public/certificate and /path/to/private/key, pointing to my current certificate(s), would I still need to restart nginx if I were to simply change these to point to new (renewed) certificates? Are there alternatives?

Haravikk
  • 1,021
  • 2
  • 13
  • 19

2 Answers2

52

You will need to RELOAD Nginx in order for the renewed certificates to display the correct expiration date (read the clarification below and the other comments for an explanation of the difference between RELOADING and RESTARTING Nginx).

After reloading Nginx, a simple cache-clearing and browse should allow you to view this the updated expiration dates on the SSL cert.

Or if you prefer cli, you could always use the old trusty OpenSSL command:

echo | openssl s_client -connect your.domain.com:443 | openssl x509 -noout -dates

That would give you the current dates on the certificate.

In your case the port would be 80 instead of 443 (it was later stated by OP that the ports 80 in the question should have actually been 443, but Nginx will listen on HTTP or HTTPS on whatever ports you give it, as long as they are not currently in use by another process).

Many times nginx -s reload does not work as expected. On many systems (Debian, etc.), you would need to use /etc/init.d/nginx reload.

Edit to update and clarify this answer:

On modern systems with systemd, you can also run systemctl reload nginx or service nginx reload.

All of these reload methods are different from restart by the fact that they send a SIGHUP signal that tells Nginx to reload its configuration without killing off existing connections (which would happen with a full restart and would almost certainly be user-impacting).

If for some reason, Nginx does not reload your certificate, you can restart it, but note that it will have much more of an impact than reload.

To restart Nginx, you would simply run systemctl restart nginx, or on systems without systemd, you would do nginx -s stop && nginx -s start.

If all else fails (for whatever reason), just kill the Nginx PID(s), and you can always start it up manually by specifying the configuration file directly using nginx -c /path/to/nginx.conf.

rubynorails
  • 2,223
  • 12
  • 24
  • Whoops, those listens should have been for port 443, my bad! Anyway, thanks for the great answer! – Haravikk Dec 05 '15 at 11:22
  • 14
    `nginx reload` and restarting Nginx are two different things: `reload` does not restart Nginx but only send it SIGHUP signal. Is SIGHUP signal enough? – porton Aug 16 '16 at 16:25
  • 17
    Yes. Sending a SIGHUP will cause nginx to switch to the updated certificate. – rspeed Sep 22 '16 at 18:09
  • What's the function of `echo |` in your command? If I leave it out, I don't get a prompt back. I would like to grep the output for `notAfter` and then compare that to the current date, to spam myself a couple of days before the cert expires. – Amedee Van Gasse Jan 23 '17 at 14:40
  • @AmedeeVanGasse the `echo` pipe just makes the OpenSSL shell exit cleanly back to Bash and return the output as normal. This is necessary in order for the clean exit for use in scripts and for automation purposes like it sounds like you are planning. I have implemented numerous scripts like the one you are planning using that same basic functionality. – rubynorails Feb 01 '17 at 18:17
  • So openssl isn't just a command, it's actually a shell? And an empty line exits the shell? OK then I understand. – Amedee Van Gasse Feb 01 '17 at 18:24
  • 1
    @AmedeeVanGasse yes, type `openssl` and hit Enter. You are now in the OpenSSL shell. At the `openssl>` prompt, you can type any OpenSSL command without having to type `openssl` before the command. However, when inside the Bash shell, you have to type `openssl` before the command in order to invoke OpenSSL. – rubynorails Feb 01 '17 at 18:27
  • Hashtag #TodayILearned – Amedee Van Gasse Feb 01 '17 at 18:30
  • For me, `service nginx reload` produces an entry in the syslog: "Reloading A high performance web server and a reverse proxy server.". `nginx -s reload` doesn't. – Rolf Jan 15 '18 at 16:21
  • Just about this typical `echo | openssl...` - you can achieve the same effect with `openssl ... < /dev/null` – Capt. Crunch Feb 04 '21 at 01:17
  • @AmosShapira I like using `echo` better, because it's quicker, less characters to type, and with multiple pipes, I would have trouble remembering where to put the input redirection, especially if I wanted to suppress error output, which could end up looking pretty confusing at the end like `.../dev/null`. I feel like `echo` is much simpler and universally-accepted in this particular situation. – rubynorails Feb 04 '21 at 15:36
32

On receiving SIGHUP nginx will reload updated configuration, verify it while opening log files and reading SSL certificates, then gracefully shut down worker processes relying on previous configuration.

If it happens that nginx can't read some SSL certificates, I'll continue to run using older configuration. Otherwise put, it'll continue to function and process requests no matter what you did to your config files. Even if they're broken, your websites will still open.

So yes, you don't have to restart nginx and risk putting your server offline for more than just some seconds if you want nginx to see updated certs. It should be enough to:

sudo service nginx reload

In most current distributions with systemd used by default you can also reload nginx with the following command:

sudo systemctl reload nginx
sanmai
  • 1,406
  • 18
  • 23
  • 3
    On **Ubuntu 16**, **CentOS 7**, and other systems supporting `systemd` you can also execute `sudo systemctl reload nginx` (which `sudo service nginx reload` mentioned above is aliased to). – Ville Jan 01 '17 at 19:44
  • @Ville you're right, but that's one more command to remember; and ain't there systemd everywhere – sanmai Jan 02 '17 at 08:45
  • 1
    I love to do `service nginx restart`. I never get tired of seeing how fast it completes. However, if it's in a cron job, and I won't be seeing any of it, I'd rather do some sort of reload to avoid breaking any sort of persistent session or pending operation that might be ongoing. – Rolf Jan 15 '18 at 16:18
  • @sanmai as stated previously, reload and restart are 2 separate commands that do 2 separate things. @Rolf is correct in that `reload` it is not as invasive as `restart` which would kill all existing connections and could potentially be user-impacting. – rubynorails Feb 04 '21 at 15:29