Do I Need to Restart Nginx if I Renew My Security Certificate(s)?
You will need to RELOAD Nginx in order for the renewed certificates to display the correct expiration date (read the clarification below and the other comments for an explanation of the difference between RELOADING and RESTARTING Nginx).
After reloading Nginx, a simple cache-clearing and browse should allow you to view this the updated expiration dates on the SSL cert.
Or if you prefer cli, you could always use the old trusty OpenSSL command:
echo | openssl s_client -connect your.domain.com:443 | openssl x509 -noout -dates
That would give you the current dates on the certificate.
In your case the port would be 80 instead of 443 (it was later stated by OP that the ports 80 in the question should have actually been 443, but Nginx will listen on HTTP or HTTPS on whatever ports you give it, as long as they are not currently in use by another process).
Many times nginx -s reload
does not work as expected. On many systems (Debian, etc.), you would need to use /etc/init.d/nginx reload
.
Edit to update and clarify this answer:
On modern systems with systemd
, you can also run systemctl reload nginx
or service nginx reload
.
All of these reload
methods are different from restart
by the fact that they send a SIGHUP
signal that tells Nginx to reload its configuration without killing off existing connections (which would happen with a full restart and would almost certainly be user-impacting).
If for some reason, Nginx does not reload your certificate, you can restart
it, but note that it will have much more of an impact than reload
.
To restart Nginx, you would simply run systemctl restart nginx
, or on systems without systemd
, you would do nginx -s stop && nginx -s start
.
If all else fails (for whatever reason), just kill the Nginx PID(s), and you can always start it up manually by specifying the configuration file directly using nginx -c /path/to/nginx.conf
.
On receiving SIGHUP
nginx will reload updated configuration, verify it while opening log files and reading SSL certificates, then gracefully shut down worker processes relying on previous configuration.
If it happens that nginx can't read some SSL certificates, I'll continue to run using older configuration. Otherwise put, it'll continue to function and process requests no matter what you did to your config files. Even if they're broken, your websites will still open.
So yes, you don't have to restart nginx and risk putting your server offline for more than just some seconds if you want nginx to see updated certs. It should be enough to:
sudo service nginx reload
In most current distributions with systemd used by default you can also reload nginx with the following command:
sudo systemctl reload nginx