Help With Cronjob to Auto-Renew Cert on Nginx


Let’s Encrypt is awesome! Thank you!

I have everything set up and I’ve been manually renewing. My setup is Nginx / Ubuntu 16.04. I’ve been renewing manually using:

service nginx stop
cd /opt/letsencrypt/
./certbot-auto renew
service nginx start

And, it works beautifully. However, it’s a pain in the ass to remember.

However, I’m pretty much a noob when it comes to cronjobs and I wanted to make sure I do it perfectly. So, I found a few options on the web, but wanted some specific input so I don’t mess anything up.

Can someone give me a quick step-by-step on how to make sure this baby will renew itself automatically?

Sure thing! One question first though, what authorization plugin are you using? Renew uses whatever you set up initially, and that will slightly change my answer. Standalone, nginx, webroot?

To do_exactly_ what you have there, just execute sudo crontab -e, which will open the crontab in the default editor. Probably vim, but that depends on your system. In here, add the line

28 4,23 * * * /opt/letsencrypt/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" 

Save and exit. This line will run attempt renewal twice a day at 4:28am and 11:28pm. (Modify the numbers to pick better times if you want.) however, this is not the best way to go about it. I assume you’re stopping and starting nginx because you’re using standalone authorization? This command will stop and start nginx twice a day. If you can use another plugin, such as webroot or nginx, this can be made a lot more efficient. With webroot, you would replace the pre-hook and post-hook options with --renew-hook "service nginx reload". This will gracefully reload nginx to apply the new certificate only if in is generated. (Note your nginx configs must be pointing to the ‘live’ Let’s Encrypt directory to look for the certificate files for this type work automatically. This is the best practice.)

Finally, if you use the nginx plugin, you don’t need any of these flags! It handles everything for you. Just the certbot-auto renew will be enough!

1 Like

That’s a great question, Jared! I don’t know because I didn’t originally setup the SSL cert.

Is there a command I can run to see if it’s Standalone, nginx or webroot? And, if not, is there an easy way to just switch to --nginx ?

I agree with that recommendation overall, but it’s not quite as bad as you make it out to be because --pre-hook and --post-hook are only run when Certbot attempts to obtain a certificate. When it’s not actually time to renew, certbot-auto renew will notice that and refrain from running any hooks. :slight_smile: So, this should not actually result in super-frequent starting and stopping of nginx. (This is a way that the hooks are significantly nicer than the old style of literally putting service nginx stop && certbot-auto renew && service nginx stop into the crontab file.)

Sure, cat /etc/letsencrypt/renewal/*.conf

1 Like

Yup. It’s standalone:

installer = None
authenticator = standalone

So, I guess my question should be:

Is there a way to change this to --nginx? If not, should I just run with the --pre-hook --post-hook method of restarting nginx?

You can try to change it to nginx by running once with

./certbot-auto --cert-name -a nginx -i nginx --force-renewal

where is your certificate name (the part before the .conf in /etc/letsencrypt/renewal). If this works, it should be switched over to --nginx automatically for subsequent renewals with ./certbot-auto renew.

Edit: This may also edit your nginx configuration files in a way that could be redundant with what you’ve already done (to tell nginx to use the certificate in question), so you might want to take a look when you’re done to see if there were any unwanted changes to the nginx configuration.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.