How to automatically renew certificates?

mrtux 2015-11-24 13:13:31 UTC #1

[Moderator's note: This post is from 2015. Since then, the letsencrypt command has been renamed certbot, and you can renew by running "certbot renew". You can also add that command to your crontab:

$ sudo crontab -e

# Add this to the crontab and save it:
* 7,19 * * * certbot -q renew

]

Hi,

I created certificates using
letsencrypt -a webroot --webroot-path /var/common-le-root/ -d example.com certonly
for some of my domains (actually I set the authenticator and webroot-path in cli.ini).

Running letsencrypt shows me that no installer is selected, letsencrypt certonly asks for domains as well as letsencrypt -i null (I've a script which runs after every letsencrypt run and checks whether services need to be restarted or not (based on the live certificates). Even setting renew-by-default did not changes anything.

How can I automate the renewal of issued certificates?

My1 2015-11-24 13:46:04 UTC #2

as far as I read it isnt implemented yet.

you could make some mods to the client and/or let it run as cron maybe that might help.

Nemis 2015-11-24 14:30:50 UTC #3

i put a multi script on root's crontab, easy

mikeskril 2015-11-25 14:30:31 UTC #4

An example:

crontab –e

@monthly /your_path/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d yourdomain.com -d www. yourdomain.com certonly && service apache2 reload

Content of cli.ini:
authenticator = webroot
webroot-path = /var/www/
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-dev-preview
agree-tos
email = postmaster@yourdomain.com

eva2000 2015-11-25 15:08:23 UTC #5

i am doing the same as @mikeskril via webroot and cronjob for nginx web server http://centminmod.com/letsencrypt-freessl.html#autorenew

mikeskril 2015-11-25 18:13:12 UTC #7

To be honest, I call the below script in crontab.

# Renew Let's Encrypt SSL cert



cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d yourdomain.com -d www.yourdomain.com certonly

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" postmaster@yourdomain.com
 else
        service apache2 reload
fi

exit 0

eva2000 2015-11-26 06:32:09 UTC #8

Sweet.. thanks for that, I borrowed your idea too now https://community.centminmod.com/posts/20800/

Nemis 2015-11-26 07:59:42 UTC #9

@eva2000 i like your script, but... if it fail to rennovate at 60 day send a mail to EMAIL in /etc/letsencrypt/webroot.ini.
what about first use expirydate and then letencrypt?
maybe more failsafe , example :
-cron launch a scripit every 3 day .
- in this script something like :
if expirydate<15 rennovate ssl else nothing
(or writesomewhere expirydate so not call openssl to check)
have to fail 4 time before
if expirydate <5 send mail
an also try to rennovate 2 times before ssl exipres

eva2000 2015-11-26 10:31:41 UTC #10

ah interesting idea so to keep checking number of days till expiry before triggering an actual auto renew

eva2000 2015-11-28 09:52:50 UTC #11

cheers @Nemis

I changed my cron file routine for letsencrypt ssl certificate auto renewal to check certificate expiry date every 9 days and run auto renewal only if certificate expiry date is less than 30 days. This will ensure if auto renewal fails for some reason on either side, that there's 29/9 = ~ 3 more chances for auto renewal of ssl certificate

Svavar_Kjarrval 2015-11-28 11:05:31 UTC #12

Why not check every day/run?

eva2000 2015-11-28 13:24:17 UTC #13

the cron log would get pretty messy if you had say 100 domain/sites with ssl and each having their own cron running every day that's an extra 100 entries per day

for my cron there's auto email notification of failed renewals so you'd have up to 4 email notification if all initial + subsequent 3 auto renewals failed.

Svavar_Kjarrval 2015-11-28 13:55:31 UTC #14

Maybe there's a way to get it all to a single cronjob.

eva2000 2015-11-28 15:44:15 UTC #15

suppose could add all the cron files into a single wrapper script that runs on cron schedule

Fsantiago1979 2015-12-03 22:34:20 UTC #16

Using this method had worked until about a day or two ago after running "git pull" to update my official LE client; I know get this error upon a renewal attempt:

letsencrypt: error: agree-dev-preview set to 'True' rather than a value

what's going on now? is it related to the public beta or a client update or elsewhere? Thanks.

lordcris 2015-12-03 22:45:52 UTC #17

Don't use "agree-dev-preview".
It's deprecated

Fsantiago1979 2015-12-03 23:04:46 UTC #18

I thought about that and removed it from my cli.ini file but still receive the same exact error msg. my ini now consists of:

authenticator = webroot
webroot-path =

server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
email = postmaster@

and my sh script follows the above example.

eva2000 2015-12-03 23:43:03 UTC #19

should be

renew-by-default = True

Fsantiago1979 2015-12-03 23:44:19 UTC #20

made no difference; same error.

eva2000 2015-12-03 23:49:53 UTC #21

strange i am having no problems using webroot and renewal via webroot.ini see https://community.letsencrypt.org/t/lets-encypt-enters-public-beta/4993/19

contents of my /etc/letsencrypt/webroot.ini

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
#server = https://acme-staging.api.letsencrypt.org/directory

# for beta invitees
server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = myemail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

i define the webroot path on the command line

letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly