Renew LetsEncrypt certificates and set up auto-renew with cron
First try renewing passing the --dry-run
option:
certbot renew --cert-name agency.yctct.com --dry-run --webroot -w /var/www/letsencrypt/
If that succeeds run:
certbot renew --cert-name agency.yctct.com --webroot -w /var/www/letsencrypt/
systemctl reload nginx
Certificates expire every three months. You want to set up auto-renew.
Set up auto-renew with cron
Create a file /sbin/reloadservers
and add the following:
!/bin/bash
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
certbot renew --cert-name agency.yctct.com --webroot -w /var/www/letsencrypt
systemctl reload nginx
# if you also have mail for example, with certs e.g. mail.example.com
# systemctl restart postfix
# systemctl restart dovecot
Check permissions:
ls -l /sbin/reloadservers
-rw-r--r-- 1 root root 294 Jan 11 18:06 /sbin/reloadservers
Mark it as executable:
chmod +x /sbin/reloadservers
Now:
ls -l /sbin/reloadservers
-rwxr-xr-x 1 root root 294 Jan 11 18:06 /sbin/reloadservers
Then add the script to cron. First run:
crontab -e
Then add this to the file:
0 0 * * 0 /sbin/reloadservers
Troubleshooting
Try https://www.ssllabs.com/ssltest/analyze.html
To check the expiry dates of certificates run:
certbot certificates
I followed https://fedfree.org/docs/http/debian-nginx.html#renew-certificates and https://community.letsencrypt.org/t/cant-dry-run-renew-3-certificates-at-the-same-time-jitsi/211440 to get the above done.
To learn more about cron: https://wikiless.org/w/index.php?search=cronjob&title=Special%3ASearch#Overview
About the certbot’s options: https://eff-certbot.readthedocs.io/en/stable/using.html#managing-certificates
personal computing command-line interface (cli) gnu linux trisquel shell literacy office applications wiki hosting letsencrypt certbot