Dev Notes

Various Cheat Sheets and Resources by David Egan/Carawebs.

Set Up An Automatic LetsEncrypt Renewal Cronjob

LetsEncrypt, SSL, Sysadmin
David Egan

This short article outlines how to setup and test a LetsEncrypt auto-renewal cronjob, tested with certbot 0.24.0 on Ubuntu 14.04.

Depending on your version of Certbot/Letsencrypt, auto-renewal may be built in

Final Command

# Final: run at a random second between 02:00 and 03:00 every day
00 02 * * * /usr/bin/perl -e 'sleep int(rand(3600))' && /opt/certbot-auto renew && /etc/init.d/apache2 restart

This command specifies a pause of between 0-3599 seconds, followed by the certbot renewal. If renewal is successful, an Apache restart is triggered.

Better Command - the above command restarts Apache whether or not the certificate has renewed.

# Final: run at a random second between 02:00 and 03:00 every day
00 02 * * * /usr/bin/perl -e 'sleep int(rand(3600))' && /opt/certbot-auto renew

In this case, the Apache restart is not triggered - the restart is unecessary, since the new cert is symlinked in the Apache site config file.

@TODO: Check this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Quiet Mode

Once you’ve verified that the cammand as working as expected, it’s a good idea to have it run in quiet mode. This suppresses all output apart from error messages, which will help clean up your email inbox.


Check certificate expiry time to verify that renewal has worked:

# Check expiry of cert: replace
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/
notBefore=May  8 07:34:22 2018 GMT
notAfter=Aug  6 07:34:22 2018 GMT

Set up a test cronjob - this will be the same as the actual script except:

  • It will trigger at a random second within the specified time
  • It will force a certificate renewal
# Open crontab for editing
sudo crontab -e

# Test: force certificate renewal at 10:26 on a random second
26 10 * * * /usr/bin/perl -e 'sleep int(rand(60))' && /opt/certbot-auto renew --force-renew && /etc/init.d/apache2 restart

Check that the certifcate expiry time has updated by re-running sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/

Check that Apache has reloaded:

cat /var/log/apache2/error.log | grep SIGTERM

Check the LetsEncrypt renewal log:

cat /var/log/letsencrypt/letsencrypt.log

You should also receive a status report email from cron.

Don’t forget to replace the test command with the actual command.

comments powered by Disqus