Set Up An Automatic LetsEncrypt Renewal Cronjob
LetsEncrypt, SSL, Sysadmin
This short article outlines how to setup and test a LetsEncrypt auto-renewal cronjob, tested with certbot 0.24.0 on Ubuntu 14.04.
Depending on your version of Certbot/Letsencrypt, auto-renewal may be built in
Final Command
This cronjob runs at a random second between 02:00 and 03:00 every day:
This command specifies a pause of between 0-3599 seconds, followed by the certbot renewal. If renewal is successful, an Apache restart is triggered.
Better Command - the above command restarts Apache whether or not the certificate has renewed.
In this case, the Apache restart is not triggered - the restart is unecessary, since the new cert is symlinked in the Apache site config file.
Quiet Mode
Once you’ve verified that the cammand as working as expected, it’s a good idea to have it run in quiet mode. This suppresses all output apart from error messages, which will help clean up your email inbox.
Test
Check certificate expiry time to verify that renewal has worked:
Set up a test cronjob - this will be the same as the actual script except:
- It will trigger at a random second within the specified time
- It will force a certificate renewal
Check that the certifcate expiry time has updated by re-running sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem
.
Check that Apache has reloaded:
Check the LetsEncrypt renewal log:
You should also receive a status report email from cron.
Don’t forget to replace the test command with the actual command.
comments powered by Disqus