Automating LE cert renewal for Discourse docker app container running on Ubuntu


#1

Automating LE cert renewal for Discourse docker app container running on Ubuntu; how can this be accomplished? has anyone done it yet? the point here is to have it automated via a cron job. I can do it manually. Thanks.

  • Fabian S.

#2

How to do it manually? Can you please list out the steps? I have been looking on how to setup Letsencrypt for a discourse site.


#3

Nevermind. Found it: https://meta.discourse.org/t/support-for-lets-encrypt/22308/12


#4

I combined script info from your link above and another topic / user from this forum concerning renewing LE certs via cronjob and came up with this for discourse docker app containers (renew.sh):

ERRORLOG=tail /var/log/letsencrypt/letsencrypt.log

/var/discourse/launcher stop app

cd /letsencrypt/

git pull

./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini --standalone -d

if [ $? -ne 0 ]
then
sleep 5
echo -e “The Lets Encrypt Cert has not been renewed! \n \n” $ERRORLOG | mail -s “Lets Encrypt Cert Alert” postmaster@

    /var/discourse/launcher start app

else

    rm /var/discourse/shared/standalone/ssl/ssl.{crt,key} -f
    rm /var/discourse/shared/standalone/ssl/chain.pem -f

    cp /etc/letsencrypt/live/<domain>/fullchain.pem /var/discourse/shared/standalone/ssl/ssl.crt
    cp /etc/letsencrypt/live/<domain>/privkey.pem /var/discourse/shared/standalone/ssl/ssl.key
    cp /etc/letsencrypt/live/<domain>/chain.pem /var/discourse/shared/standalone/ssl/

    /var/discourse/launcher start app

fi

exit 0


and in my cli.ini file i simply specify the acme server, my email address and the option renew-by-default:

server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
email = postmaster@

i then set the script’s executable bit (chmod +x renew.sh)

and added it to my crontab with crontab -e (as root):

0 2 1 2,4,6,8,10,12 * /etc/letsencrypt/renew.sh

which will run it every 2 months on day 1 at 2 am. since today’s date is 12/8, this job will first run in FEB.

i also manually tested the script first by simply running it. that’s it. some would argue against the use of root but it’s ok for me and my purposes + i believe the official LE client requires it in some fashion. That’s it.

  • Fabian S.

#5

One more note; the reason i copy chain.pem into the docker app container ssl folder is because for my discourse docker app, I modified the web.ssl template to add support for ocsp and rely on the chain.pem file for that.

also, in my crontab entry, i made no provision for emailing me the end result of the cron job because the sh script contains that mechanism only in case of LE cert renewal failure.

that is all.

  • Fabian S.