Resolved New potential SSLit-issue: Nginx needs restart instead of reload to apply new certificate settings

[Bitpalast]

A "just in": We are experiencing issues with SSL certificates on CentOS 7.9, Plesk Obsidian latest MU.

After installation of a new SSL certificate, all configuration files are updated properly. We've checked the certificate content of the certificates named in the nginx.conf files of the domain, they carry the correct domain name.

Still, a "reload" of Nginx does not apply the new certificates. Instead, the host certificate is used unless Nginx is "restart"ed. Disabling Nginx caching has not resolved the issue. The only way to resolve it and to have Nginx load the new certificate was to restart the service.

Anyone else seeing the same?

 

[Martin Dias]

Last time I saw such was because reload was failing due to too many files open

 

[Bitpalast]

@Arashi: Many thanks!

At first I found that only half of the number of allowed files are actually open, but a deeper search has shown that the actual limit that Nginx was using was only 1,024 files soft and 4,096 files hard (# less /proc/<pid of master process>/limits). I have made some updates to the configuration entries. Afterwards it was important to hard-restart Nginx (a reload did not read the new process limits), then a test for a new SSL cert installation went through fine. So indeed it seems that a "too many open files" scenario was the cause.