Set up Let’s Encrypt Certbot auto renew


SystemMen - Set up Let’s Encrypt Certbot auto renew. This article will guide you to do this. Let’s Encrypt in the past few years is no stranger to website or system administrators.

It comes with the Certbot tool, it is very useful and everyone knows that you must use Certbot to renew SSL certificates every 3 months.

You would not want to do it manually? In fact, the Certbot’s tutorial website has instructions for doing this.

You can test automatic renewal for your certificates by running this command: sudo certbot renew --dry-run The command to renew certbot is installed in one of the following locations: /etc/crontab/, /etc/cron.*/*, systemctl list-timers

However, I myself find it to be unsuccessful, the default Certbot does not seem to work well with crontab or systemd.

set-up-lets-encrypt-certbot-auto-renew Set up Let's Encrypt Certbot auto renew
Set up Let’s Encrypt Certbot auto renew.

Set up Let’s Encrypt Certbot auto renew

So now how do Let’s Encrypt Certbot automatically renew?

Create the Certbot Renew service

Yes, exactly what I am telling you. We need a little bit of tampering with the system to make Certbot Renew run as a service.

First of all, for the environment, I’m using CentOS 7 64bit, Certbot for Nginx web server. You can do the same for other systemd systems.

Step 1: Create a .service file for Certbot

You create the /etc/systemd/system/certbot-renewal.service file and copy the following content to the file.

[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew --post-hook "systemctl reload nginx"

Step 2: Create a .timer file for the Certbot service just created above.

The purpose of this file is like a crontab. You know, a service will operate 24/24 and you do not want Certbot to renew continuously 24/24. That will make your system blacklist.

Therefore, you need to set the renew time for it. Here I set to be once a day.

You create the /etc/systemd/system/certbot-renewal.timer file and copy the content below into the file.

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1d

[Install]
WantedBy=multi-user.target

Finally, you need to reload the system daemon to apply the newly created service.

sudo systemctl daemon-reload

Start Certbot Renew service and check status

Run the following command to enable and start the Certbot Renew service.

sudo systemctl enable certbot-renewal.timer
sudo systemctl start certbot-renewal.timer

Next, run the following command to check the service status.

sudo systemctl status certbot-renewal.timer
sudo journalctl -u certbot-renewal.service

And the result will look like below.

[root@proxy ~]# sudo systemctl status certbot-renewal.timer
● certbot-renewal.timer - Timer for Certbot Renewal
   Loaded: loaded (/etc/systemd/system/certbot-renewal.timer; enabled; vendor preset: disabled)
   Active: active (waiting) since Tue 2020-01-07 12:01:18 +07; 3s ago

Jan 07 12:01:18 proxy.local systemd[1]: Started Timer for Certbot Renewal.
[root@proxy ~]#
[root@proxy ~]# sudo journalctl -u certbot-renewal.service
-- Logs begin at Wed 2020-01-01 21:52:39 +07, end at Tue 2020-01-07 12:01:28 +07. --
Jan 07 12:01:18 proxy.local systemd[1]: Started Certbot Renewal.
Jan 07 12:01:18 proxy.local certbot[45677]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Jan 07 12:01:18 proxy.local certbot[45677]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 07 12:01:18 proxy.local certbot[45677]: Processing /etc/letsencrypt/renewal/dev.abc.com.conf
Jan 07 12:01:18 proxy.local certbot[45677]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 07 12:01:18 proxy.local certbot[45677]: Cert not yet due for renewal
Jan 07 12:01:19 proxy.local certbot[45677]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jan 07 12:01:19 proxy.local certbot[45677]: The following certs are not due for renewal yet:
Jan 07 12:01:19 proxy.local certbot[45677]: /etc/letsencrypt/live/dev.abc.com/fullchain.pem expires on 2020-04-01 (skipped)
Jan 07 12:01:19 proxy.local certbot[45677]: No renewals were attempted.
Jan 07 12:01:19 proxy.local certbot[45677]: No hooks were run.
Jan 07 12:01:19 proxy.local certbot[45677]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Conclusion

With a few minor interventions on the system. You have successfully set up the Certbot Renew service. This allows you to automatically renew Let’s Let’s Encrypt SSL certificates without having to worry about it expiring midnight.

«« »»