ubyssey · Copilot · Nov 25, 2025 · Nov 25, 2025 · Nov 25, 2025
diff --git a/scripts/certbot-renewal-with-nginx-reload.sh b/scripts/certbot-renewal-with-nginx-reload.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 
 # Certbot service with automatic nginx reload
-# This script runs continuously, checking for certificate renewals every 12 hours
-# and reloading nginx after each check (graceful reload has zero downtime).
+# This script runs continuously, checking for certificate renewals every 12 hours.
+# Uses --deploy-hook to reload nginx only when certificates are actually renewed.
 
 set -e
 
@@ -20,26 +20,24 @@ trap exit TERM
 while :; do
   echo "Running certbot renew at $(date)..."
 
-  # Attempt certificate renewal with error handling
-  if certbot renew; then
-    echo "certbot renewal succeeded at $(date)"
-
-    # Find the nginx container ID
-    NGINX_ID=$(docker ps -q -f "name=nginx" | head -1)
-
-    if [ -n "$NGINX_ID" ]; then
-      # Reload nginx configuration
-      if docker exec "$NGINX_ID" nginx -s reload; then
-        echo "nginx reloaded successfully at $(date)"
+  # Attempt certificate renewal with --deploy-hook
+  # The hook only runs when a certificate is actually renewed
+  if certbot renew --deploy-hook "
+    echo 'Certificate renewed, reloading nginx...'
+    NGINX_ID=\$(docker ps -q -f 'name=nginx' | head -1)
+    if [ -n \"\$NGINX_ID\" ]; then
+      if docker exec \"\$NGINX_ID\" nginx -s reload; then
+        echo 'nginx reloaded successfully'
       else
-        echo "ERROR: Failed to reload nginx" >&2
+        echo 'ERROR: Failed to reload nginx' >&2
       fi
     else
-      echo "WARNING: Could not find nginx container" >&2
+      echo 'WARNING: Could not find nginx container' >&2
     fi
+  "; then
+    echo "certbot renewal check completed at $(date)"
   else
     echo "ERROR: certbot renewal FAILED at $(date)" >&2
-    # Optionally, trigger an alert here (e.g., send email, webhook, etc.)
   fi
 
   echo "Next check in 12 hours..."