January 11, 2024

Renew LetsEncrypt certificates and set up auto-renew with cron

First try renewing passing the --dry-run option:

certbot renew --cert-name agency.yctct.com --dry-run --webroot -w /var/www/letsencrypt/

If that succeeds run:

certbot renew --cert-name agency.yctct.com --webroot -w /var/www/letsencrypt/
systemctl reload nginx

Certificates expire every three months. You want to set up auto-renew.

Set up auto-renew with cron

Create a file /sbin/reloadservers and add the following:

!/bin/bash

# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
certbot renew --cert-name agency.yctct.com --webroot -w /var/www/letsencrypt

systemctl reload nginx

# if you also have mail for example, with certs e.g. mail.example.com
# systemctl restart postfix
# systemctl restart dovecot

Check permissions:

ls -l /sbin/reloadservers 
-rw-r--r-- 1 root root 294 Jan 11 18:06 /sbin/reloadservers

Mark it as executable:

chmod +x /sbin/reloadservers

Now:

ls -l /sbin/reloadservers 
-rwxr-xr-x 1 root root 294 Jan 11 18:06 /sbin/reloadservers

Then add the script to cron. First run:

crontab -e

Then add this to the file:

0 0 * * 0 /sbin/reloadservers

Troubleshooting

Try https://www.ssllabs.com/ssltest/analyze.html

To check the expiry dates of certificates run:

certbot certificates

I followed https://fedfree.org/docs/http/debian-nginx.html#renew-certificates and https://community.letsencrypt.org/t/cant-dry-run-renew-3-certificates-at-the-same-time-jitsi/211440 to get the above done.

To learn more about cron: https://wikiless.org/w/index.php?search=cronjob&title=Special%3ASearch#Overview

About the certbot’s options: https://eff-certbot.readthedocs.io/en/stable/using.html#managing-certificates


personal computing command-line interface (cli) gnu linux trisquel shell literacy office applications wiki hosting letsencrypt certbot

No affiliate links, no analytics, no tracking, no cookies. This work © 2016-2024 by yctct is licensed under CC BY-ND 4.0 .   about me   contact me   all entries & tags   FAQ   GPG public key

GPG fingerprint: 2E0F FB60 7FEF 11D0 FB45 4DDC E979 E52A 7036 7A88