I use Ansible to maintain a Miniflux instance which is running inside a private Wireguard
network. The website has TLS (even though it is running inside Wireguard; I know this is pointless)
and certificates are issued automatically using CertBot through LetsEncrypt. These certificates are
also supposed to be renewed automatically. Since the beginning of this setup (roughly 2 years ago),
this has not been working properly, because once the certificate is renewed the Nginx process needs
to be reloaded (systemctl reload nginx) in order to serve the new TLS certificates to the
user. CertBot supports running arbitrary commands after a certificate renewal through pre, post
and deploy hooks. I set up a deploy hook but that was not working because the script was not
executable. (I created the script with the permission bits set to 0600 reflexively!)
The fix was simple: Update the Ansible role to set the mode on the containing directory
/etc/letsencrypt/renewal-hooks/deploy to 0755 and the permission bits on the script
/etc/letsencrypt/renewal-hooks/deploy/01-restart-nginx to 0744. The script used /bin/bash
which was failing (or at least throwing a warning) because the locale was not set appropriately in
the environment where the script was running. So, I updated it to use /bin/sh instead:
#!/bin/sh
systemctl reload nginx
Whether this hook will run during a certificate renewal can be tested by running sudo certbot renew --dry-run and following the /var/log/letsencrypt/letsencrypt.log file. The log file contains this
line, which indicates that the deploy hook would have run if the dry-run flag had not been supplied:
2026-02-21 11:52:46,997:INFO:certbot._internal.hooks:Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/01-restart-nginx