Recently I relinquished an old domain on my server and had to re-issue a certificate to drop that domain off. Previously it ran Let’s Encrypt’s official client Certbot, set up back in 2019. All my recent setups have been using, so I figured that this was a perfect chance to switch this one over as well.

Getting to issue a new certificate for my updated domain list is easy enough and out of scope for this article. But when it comes to reloading the certificate for services using it, I have to think twice. Back in the days when Nginx was the sole consumer of the certificate, I directly referenced the certificate files in /etc/letsencrypt/live/ from Nginx config, and somehow slappped a systemctl reload nginx into crontab to handle the reload. Now that there are multiple services using the certificate, I no longer consider it a good idea to reload all the services in a crontab. There has to be a better way.

Since all my services are managed by systemd, using an extra “service” or whatever unit to group them together seems like a better idea. Systemd’s ReloadPropagatedFrom= option and its inverse PropagatesReloadTo= immediately come to mind. With the right direction, it’s easy to Google out this answer: How do I reload a group of systemd services?

Realizing that “target” is the simplest unit type in systemd’s abstraction, this is the minimum that suits my needs.

# /etc/systemd/system/
Description=SSL certificates reload helper

Then, following the above Unix & Linux answer, here’s a “path” unit that lets systemd monitor the certificate files for changes.

# /etc/systemd/system/ssl-certificate.path
Description=SSL certificate reload helper



The Wants= setting here ensure that the corresponding target unit is activated, otherwise it cannot be reloaded.

There’s one deficiency in the answer above: A “path” unit can only activate another unit, not reload it. So I still have to create a oneshot service that calls systemctl reload on the target, which itself can then be activated by the “path” unit.

# /etc/systemd/system/ssl-certificate.service
Description=SSL certificate reload helper

ExecStart=/bin/systemctl reload

It’s important that this service comes with Type=oneshot and without RemainAfterExit=yes, so that it can be repeatedly activated by the “path” unit.

Now I can test if things work:

systemctl daemon-reload
systemctl enable --now ssl-certificate.path --install-cert -d "$HOSTNAME" \
  --cert-file "/etc/ssl/private/$HOSTNAME/cert.pem" \
  --key-file "/etc/ssl/private/$HOSTNAME/privkey.pem" \
  --fullchain-file "/etc/ssl/private/$HOSTNAME/fullchain.pem"

And then inspect the services:

$ systemctl status nginx.service
Mar 31 19:20:11 hostname systemd[1]: Reloading A high performance web server and a reverse proxy server...
Mar 31 19:20:12 hostname systemd[1]: Reloaded A high performance web server and a reverse proxy server.

$ systemctl status postfix.service
Mar 31 19:20:11 hostname systemd[1]: Reloading Postfix Mail Transport Agent...
Mar 31 19:20:12 hostname systemd[1]: Reloaded Postfix Mail Transport Agent.

So now, job done. As stores install information, the next time these certificates are renewed, will automatically copy them over to /etc/ssl/private/$HOSTNAME/, and systemd will pick up the changes and reload the services.



Leave a comment