[BlueOnyx:27273] Re: SSL renewal, httpd and php restarts

[Michael Stauber]

Hi Ken,

> Does the automated Let's encrypt SSL renewal also force a restart of all 
> PHP fpm services?

Yes, when we restart Apache (and Nginx if enabled) we also restart all 
PHP-FPM services that are enabled.

> So, do all these services need to be restarted, or would a simple reload 
> of httpd be sufficient?

No, sadly a reload of HTTPd isn't enough to *reliably* get config 
changes through. Also: PHP-FPM doesn't seem to like it when an ongoing 
stream is interrupted due to Apache restarts.

In the past we had simple Apache restarts on Apache configuration 
changes and SSL certificate changes. But that rocked the boat as far as 
PHP-FPM was concerned, so I added the obligatory restart of the PHP-FPM 
daemons to be sure that we end up with a fully working state afterwards.

> Or is there a way to set the SSL renewals to a specific time /day?

The certificates are renewed when /etc/cron.daily/letsencrypt.cron runs 
and when there is at least one certificate that requires renewal.

When the daily crons run is defined here: /etc/cron.d/dailyjobs

29 2 * * * root [ ! -f /etc/cron.hourly/0anacron ] && run-parts 
/etc/cron.daily

So that runs at 02:29 a.m. and you can either change it, or set the 
server to a timezone that works better with the office hours of that client.

-- 
With best regards

Michael Stauber