Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NGINX: Reload NGINX on certificate renewal #2913

Merged
merged 4 commits into from
Apr 20, 2023
Merged

NGINX: Reload NGINX on certificate renewal #2913

merged 4 commits into from
Apr 20, 2023

Conversation

lmagyar
Copy link
Contributor

@lmagyar lmagyar commented Mar 14, 2023

fixes #2870 #2725 #2600

This modification checks daily (crond default daily 02:00:00) whether the configured certificate file has been changed and reloads (not restarts) nginx to pick up the new certificate.

  • If there is no backup connection to the device (eg. ssh, cloud, vpn), we can lose access to it. In case of a remote, not regularly updated device, this can be a real problem.
  • DuckDNS add-on checks the certificate in each 12h.
  • Letsencrypt renews the certificate if it expires within the next 30 days and did not revoke the previous certificate.
  • So checking certificate renewal daily should be fine.

It also uses the new s6-overlay layout.

s6-rc: info: service nginx: starting
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service crond: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service crond successfully started
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[21:09:33] INFO: Running nginx...
[02:00:00] INFO: Reloading nginx to reload new certificate file

@lmagyar lmagyar mentioned this pull request Mar 14, 2023
Closed
@lmagyar lmagyar changed the title Reload nginx on certificate renewal NGINX: Reload NGINX on certificate renewal Apr 13, 2023
@lmagyar
Copy link
Contributor Author

lmagyar commented Apr 13, 2023

FYI: Real life test result.

One of my certificates got renewed on Apr. 12 by DuckDNS:

 131126 -rw-------    1 root          5406 Apr 12 19:24 fullchain.pem
 131127 -rw-------    1 root           359 Apr 12 19:24 privkey.pem

The original add-on, didn't reload it:

[06:34:29] INFO: Running nginx...

And serves the old certificate (this is the cert info from FF):

Not Before: Sat, 11 Feb 2023 15:12:53 GMT
Not After:  Fri, 12 May 2023 15:12:52 GMT

Meanvile the add-on modified by this PR, reloaded the new cert:

[06:34:34] INFO: Running nginx...
[02:00:00] INFO: Reloading nginx to reload new certificate file

And we get it in the browser (this is the cert info from FF):

Not Before: Wed, 12 Apr 2023 16:24:44 GMT
Not After:  Tue, 11 Jul 2023 16:24:43 GMT

After 12 May 2023 15:12:52 GMT I can test whether I loose the connection to the official add-on or the modified.

@agners agners merged commit add998a into home-assistant:master Apr 20, 2023
@agners agners mentioned this pull request Apr 20, 2023
Merged
@lmagyar lmagyar deleted the pr-reload-nginx-on-cert-renewal branch May 3, 2023 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agners agners agners approved these changes

Assignees
No one assigned
Labels
add-on: nginx_proxy cla-signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NGINX continues serving an expired certificate
2 participants
@lmagyar @agners