Hi there,
Apologies it has been quite some time since my last blog post, but things have been quite busy in the real world.

I have finally had some time to look into the issue where the SSL cert renewal service does not restart zend correctly after the cert is renewed, resulting in an expired certificate exception and this has resulted in people needing to manually restart the zend daemon.

This blog post will help you convert your existing cert renewal service into one that should not require you to manually restart the zend daemon.

Step 1 - remove existing service file

sudo rm -rf /lib/systemd/system/zenupdate.service && sudo rm -rf /usr/local/share/ca-certificates/*

Step 2 - add new service file
Copy and paste this whole block and press enter

echo \
ExecStart=/usr/bin/certbot -q renew --preferred-chain \"ISRG Root X1\" --deploy-hook \"sudo rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\"
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service

Step 3 - reload the daemon

sudo systemctl daemon-reload

Step 4 - split SSL  cert chain

sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt'

Next you can verify that you have correctly split the intermediate certs out by running this command

ls /usr/local/share/ca-certificates/

You should see something like this


Step 5 - update the trusted store

sudo update-ca-certificates --fresh 

After that, you should be all set and the cert renewal service should be running correctly.

I have made these changes to the official guide so people who setup their nodes in the future wont have the issue of the zend daemon not restarting correctly after the cert renewal.