Anthony Allen
Monday February 20, 2017
I have full control over the DNS.
Purpose: Weekly check for letsencrypt certbot -auto renew certificate renewal.
Comment out weeks that are not desired to check!
Usage: Cron file is checked daily. Placed in /etc/crond.d
Example Cron file:
0 20 * * 6 /path/to/script/everyweek.sh
i.e. check daily but run the script if the time is 8pm Saturday.
Don’t place script (in this case everyweek.sh, the script to be run) in directory cron.d.
Disclaimer: Limited testing for bash only on Fedora. Test, use and modify at your own risk.
#Get day of the month. #NOTE: bash day of month (dom) IS the date i.e. the number of cron’s day of the week, the day in which cron runs
dom=$(date +%d)
#check if dom in 1st week. If dom in 1st week check certificate for renewal
if [ $dom -le 07 ]; then
/path/to/letsencryptcertbot-auto renew
#check if dom in 2nd week. If dom in 2nd week check certificate for renewal
elif [ $dom -ge 08 ] && [ $dom -le 14 ]; then
/path/to/letsencryptcertbot-auto renew
#check if dom in 3rd week. If dom in 3rd week check certificate for renewal
elif [ $dom -ge 15 ] && [ $dom -le 21 ]; then
/path/to/letsencryptcertbot-auto renew
#check if dom in 4th week. If dom in 4th week check certificate for renewal
elif [ $dom -ge 22 ] && [ $dom -le 28 ]; then
/path/to/letsencryptcertbot-auto renew
#check if dom in 5th week. If dom in 5th week check certificate for renewal
elif [ $dom -ge 29 ] && [ $dom -le 31 ]; then
/path/to/letsencryptcertbot-auto renew
It isn't "necessary", exactly, but there isn't any reason not to. As @serverco says, it will check your certs, and only run the renewal if they have less than 30 days' validity remaining. But that gives several opportunities for the renewal to run, in case there are network or service problems preventing renewal on the first attempt. This does happen, for a variety of reasons.
We might just as well ask why it is "necessary" to write a script to only attempt the renewal on one specified day of one specified week of the month? This seems to make the process more complicated, for absolutely no reason.
Certbot can never renew certificates obtained by another client unless they were installed in /etc/letsencrypt with the same structure that Certbot itself uses.
Correct. When you run "certbot renew", it checks the local certificate files. If they have less than 30 days (by default, but that threshold can be adjusted) remaining, it runs the renewal.
It's very small if you have only one or two certs. It's basically on par with starting Python, running something like find /etc/letsencrypt/renewal -type f, and then, for each entry, opening two files and doing one ASN.1 parse.
We have heard from some hosting companies that have tens of thousands of certs that it got to be a problem for them, because it was reading and parsing tens of thousands of files, and so they had to come up with alternatives. But I don't think it should be an issue for a typical site.