Cron Bash script for Letsencrypt Certbot-auto renew certificate renewal

Anthony Allen
Monday February 20, 2017
I have full control over the DNS.

Purpose: Weekly check for letsencrypt certbot -auto renew certificate renewal.
Comment out weeks that are not desired to check!

Usage: Cron file is checked daily. Placed in /etc/crond.d

Example Cron file:
0 20 * * 6 /path/to/script/
i.e. check daily but run the script if the time is 8pm Saturday.
Don’t place script (in this case, the script to be run) in directory cron.d.

Disclaimer: Limited testing for bash only on Fedora. Test, use and modify at your own risk.


#! /usr/bin/bash

#Get day of the month.
#NOTE: bash day of month (dom) IS the date i.e. the number of cron’s day of the week, the day in which cron runs

dom=$(date +%d)

#check if dom in 1st week. If dom in 1st week check certificate for renewal
if [ $dom -le 07 ]; then
/path/to/letsencryptcertbot-auto renew

#check if dom in 2nd week. If dom in 2nd week check certificate for renewal
elif [ $dom -ge 08 ] && [ $dom -le 14 ]; then
/path/to/letsencryptcertbot-auto renew

#check if dom in 3rd week. If dom in 3rd week check certificate for renewal
elif [ $dom -ge 15 ] && [ $dom -le 21 ]; then
/path/to/letsencryptcertbot-auto renew

#check if dom in 4th week. If dom in 4th week check certificate for renewal
elif [ $dom -ge 22 ] && [ $dom -le 28 ]; then
/path/to/letsencryptcertbot-auto renew

#check if dom in 5th week. If dom in 5th week check certificate for renewal
elif [ $dom -ge 29 ] && [ $dom -le 31 ]; then
/path/to/letsencryptcertbot-auto renew



As mentioned, comment out the weeks not desired.
The script does not address when the certificate is up for renewal.

You can just run

/path/to/letsencryptcertbot-auto renew

on a daily basis, and it will just check and renew any certificates that need renewal.

I have seen this. But, why is it necessary to run it everyday?

Does “renew any certificates” include those obtained through dehydrated in which the a TXT record had to be manually added for the DNS challenge?


It isn't "necessary", exactly, but there isn't any reason not to. As @serverco says, it will check your certs, and only run the renewal if they have less than 30 days' validity remaining. But that gives several opportunities for the renewal to run, in case there are network or service problems preventing renewal on the first attempt. This does happen, for a variety of reasons.

We might just as well ask why it is "necessary" to write a script to only attempt the renewal on one specified day of one specified week of the month? This seems to make the process more complicated, for absolutely no reason.

Certbot can never renew certificates obtained by another client unless they were installed in /etc/letsencrypt with the same structure that Certbot itself uses.

Hmm … You make a very good point. Thanks @danb35!

The certificate expiry date is obtained from files that reside locally?

Correct. When you run "certbot renew", it checks the local certificate files. If they have less than 30 days (by default, but that threshold can be adjusted) remaining, it runs the renewal.

OK … That clears things up. Thanks @schoen.

Checking the expiry, the local takes a miniscule / infestestimal hit in performance?

When “it runs the renewal”, the remote is hit, the transaction is made between the remote and local servers to and the certificste is renewed?

I would say "no hit", but I guess a few CPU cycles are required.


1 Like

It's very small if you have only one or two certs. It's basically on par with starting Python, running something like find /etc/letsencrypt/renewal -type f, and then, for each entry, opening two files and doing one ASN.1 parse.

We have heard from some hosting companies that have tens of thousands of certs that it got to be a problem for them, because it was reading and parsing tens of thousands of files, and so they had to come up with alternatives. But I don't think it should be an issue for a typical site.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.