DERP certificate renewal requires deploy hook to restart container
warningconfigurationUpdated Mar 2, 2026(via Exa)
Technologies:
How to detect:
When certbot renews certificates (every 60-90 days), DERP container continues serving expired certificates until restarted, causing SSL verification failures for clients
Recommended action:
Create deploy hook script at /root/update_derp_cert.sh that copies renewed certs from /etc/letsencrypt/live/ to /root/derper-data, sets permissions (644/600), and runs docker restart derper. Add crontab entry to run certbot renew with --deploy-hook /root/update_derp_cert.sh daily at 3 AM