How to automatically renew certificates?


#1

[Moderator’s note: This post is from 2015. Since then, the letsencrypt command has been renamed certbot, and you can renew by running “certbot renew”. You can also add that command to your crontab:

$ sudo crontab -e

# Add this to the crontab and save it:
* 7,19 * * * certbot -q renew

]


Hi,

I created certificates using
letsencrypt -a webroot --webroot-path /var/common-le-root/ -d example.com certonly
for some of my domains (actually I set the authenticator and webroot-path in cli.ini).

Running letsencrypt shows me that no installer is selected, letsencrypt certonly asks for domains as well as letsencrypt -i null (I’ve a script which runs after every letsencrypt run and checks whether services need to be restarted or not (based on the live certificates). Even setting renew-by-default did not changes anything.

How can I automate the renewal of issued certificates?


#2

as far as I read it isnt implemented yet.

you could make some mods to the client and/or let it run as cron maybe that might help.


#3

i put a multi script on root’s crontab, easy


#4

An example:

crontab –e

@monthly /your_path/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d yourdomain.com -d www. yourdomain.com certonly && service apache2 reload

Content of cli.ini:
authenticator = webroot
webroot-path = /var/www/
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-dev-preview
agree-tos
email = postmaster@yourdomain.com


#5

i am doing the same as @mikeskril via webroot and cronjob for nginx web server http://centminmod.com/letsencrypt-freessl.html#autorenew


#7

To be honest, I call the below script in crontab.

# Renew Let's Encrypt SSL cert
                                                                                                                                               

                                                                                                                                               
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d yourdomain.com -d www.yourdomain.com certonly
                                                                                                                                               
if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" postmaster@yourdomain.com
 else
        service apache2 reload
fi
                                                                                                                                               
exit 0

#8

Sweet… thanks for that, I borrowed your idea too now https://community.centminmod.com/posts/20800/ :smiley:


#9

@eva2000 i like your script, but… if it fail to rennovate at 60 day send a mail to EMAIL in /etc/letsencrypt/webroot.ini.
what about first use expirydate and then letencrypt?
maybe more failsafe , example :
-cron launch a scripit every 3 day .

  • in this script something like :
    if expirydate<15 rennovate ssl else nothing
    (or writesomewhere expirydate so not call openssl to check)
    have to fail 4 time before
    if expirydate <5 send mail
    an also try to rennovate 2 times before ssl exipres

#10

ah interesting idea so to keep checking number of days till expiry before triggering an actual auto renew :slight_smile:


#11

cheers @Nemis

I changed my cron file routine for letsencrypt ssl certificate auto renewal to check certificate expiry date every 9 days and run auto renewal only if certificate expiry date is less than 30 days. This will ensure if auto renewal fails for some reason on either side, that there’s 29/9 = ~ 3 more chances for auto renewal of ssl certificate :slight_smile:


#12

Why not check every day/run? :smile:


#13

the cron log would get pretty messy if you had say 100 domain/sites with ssl and each having their own cron running every day that’s an extra 100 entries per day

for my cron there’s auto email notification of failed renewals so you’d have up to 4 email notification if all initial + subsequent 3 auto renewals failed.


#14

Maybe there’s a way to get it all to a single cronjob. :confused:


#15

suppose could add all the cron files into a single wrapper script that runs on cron schedule


#16

Using this method had worked until about a day or two ago after running “git pull” to update my official LE client; I know get this error upon a renewal attempt:

letsencrypt: error: agree-dev-preview set to ‘True’ rather than a value

what’s going on now? is it related to the public beta or a client update or elsewhere? Thanks.


#17

Don’t use “agree-dev-preview”.
It’s deprecated


#18

I thought about that and removed it from my cli.ini file but still receive the same exact error msg. my ini now consists of:

authenticator = webroot
webroot-path =
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
email = postmaster@

and my sh script follows the above example.


#19

should be

renew-by-default = True

#20

made no difference; same error.


#21

strange i am having no problems using webroot and renewal via webroot.ini see Let's Encypt Enters Public Beta

contents of my /etc/letsencrypt/webroot.ini

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
#server = https://acme-staging.api.letsencrypt.org/directory

# for beta invitees
server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = myemail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

i define the webroot path on the command line

letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le12.http2ssl.xyz/public -d le12.http2ssl.xyz certonly