Bootstrap FreeKB - Certbot - Automatically renew certificates
Certbot - Automatically renew certificates
Updated:   |  Certbot articles

This assumes you have created one or more certificates using Certbot. If not, check out my articles:

Let's say you have have something like this. Notice that /etc/letsencrypt/live/example.com/fullchain.pem is symbolically linked to /etc/letsencrypt/archive/example.com/fullchain.pem.

~]$ sudo ls -l /etc/letsencrypt/live/example.com/
lrwxrwxrwx 1 root root  34 Jul 17 10:34 cert.pem -> ../../archive/example.com/cert.pem
lrwxrwxrwx 1 root root  35 Jul 17 10:34 chain.pem -> ../../archive/example.com/chain.pem
lrwxrwxrwx 1 root root  39 Jul 17 10:34 fullchain.pem -> ../../archive/example.com/fullchain.pem
lrwxrwxrwx 1 root root  37 Jul 17 10:34 privkey.pem -> ../../archive/example.com/privkey.pem

 

The certbot certificates command can be used to see the date the certificate was issued and when it expires.

~]$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Serial Number: 123456789abcdefghi123456789abdefghi
    Key Type: ECDSA
    Domains: example.com *.example.com
    Expiry Date: 2023-10-15 14:34:41+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

And perhaps your /etc/letsencrypt/renewal/example.com.conf file has something like this. By default, renew_before_expiry is commented out. When commented out, Certbot will attempt to renew your Certbot certificates 30 days before they expire.

~]$ cat /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

 

The certbot renew command can be used to renew your Certbot certificates. You might want to first try with --dry-run.

~]$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for example.com and *.example.com
Waiting 900 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

And if no problems are found by --dry-run, then you can re-try without the --dry-run flag. In this example, since the /etc/letsencrypt/live/example.com/fullchain.pem expires in more than 30 days, the example.com certificate is not renewed.

~]$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem expires on 2023-10-15 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

On the other hand, if the certificate is eligible for renewal (by default, expires in 30 days or less), then something like this should be displayed, where the certificate is renewed.

~]$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for example.com and *.example.com
Waiting 900 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

If you have multiple certificates, you can use --cert-name to target a specific certificate.

sudo certbot renew --cert-name example.com

 

You can create a crontab job that issues the certbot renew command as root once every hour (this is loosely based off of certbot's documentation).

0 0,12 * * * echo $(date) | tee --append /var/log/certbot/renewal.log; root sleep 1000 && certbot renew" | tee --append /var/log/certbot/renewal.log

 

Or, as a non-root user that has been granted sudo permission to the tee and certbot commands.

0 0,12 * * * echo $(date) | sudo tee --append /var/log/certbot/renewal.log; sudo certbot renew" | sudo tee --append /var/log/certbot/renewal.log

 

Since the crontab job appends to the /var/log/certbot/renewal.log in this example, you will probably also want to create a logrotate file such as /etc/logrotate.d/certbot_renewal with something like this.

/var/log/certbot/renewal.log {
        daily
        missingok
        rotate 365
        create 0644 root root
        dateext
        compress
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 07b138 in the box below so that we can be sure you are a human.