So I'm setting up an nginx server with SSL enabled with a server definition something like:
server {
listen :80;
listen [::]:80;
server_name example.org;
root /foo/bar;
ssl on;
ssl_certificate /path/to/public/certificate;
ssl_certificate_key /path/to/private/key;
...
}
You get the idea (please forgive any typos).
Anyway, what I'm wondering is; if I renew my certificate(s), is there a way to install them without having to restart nginx?
For example, if I were to use symbolic links from /path/to/public/certificate
and /path/to/private/key
, pointing to my current certificate(s), would I still need to restart nginx
if I were to simply change these to point to new (renewed) certificates? Are there alternatives?
Best Answer
You will need to RELOAD Nginx in order for the renewed certificates to display the correct expiration date (read the clarification below and the other comments for an explanation of the difference between RELOADING and RESTARTING Nginx).
After reloading Nginx, a simple cache-clearing and browse should allow you to view this the updated expiration dates on the SSL cert.
Or if you prefer cli, you could always use the old trusty OpenSSL command:
That would give you the current dates on the certificate.
In your case the port would be 80 instead of 443 (it was later stated by OP that the ports 80 in the question should have actually been 443, but Nginx will listen on HTTP or HTTPS on whatever ports you give it, as long as they are not currently in use by another process).
Many times
nginx -s reload
does not work as expected. On many systems (Debian, etc.), you would need to use/etc/init.d/nginx reload
.Edit to update and clarify this answer:
On modern systems with
systemd
, you can also runsystemctl reload nginx
orservice nginx reload
.All of these
reload
methods are different fromrestart
by the fact that they send aSIGHUP
signal that tells Nginx to reload its configuration without killing off existing connections (which would happen with a full restart and would almost certainly be user-impacting).If for some reason, Nginx does not reload your certificate, you can
restart
it, but note that it will have much more of an impact thanreload
.To restart Nginx, you would simply run
systemctl restart nginx
, or on systems withoutsystemd
, you would donginx -s stop && nginx -s start
.If all else fails (for whatever reason), just kill the Nginx PID(s), and you can always start it up manually by specifying the configuration file directly using
nginx -c /path/to/nginx.conf
.