How to automatically renew certificates?

[Moderator’s note: This post is from 2015. Since then, the letsencrypt command has been renamed certbot, and you can renew by running “certbot renew”. You can also add that command to your crontab:

$ sudo crontab -e

# Add this to the crontab and save it:
* 7,19 * * * certbot -q renew



I created certificates using
letsencrypt -a webroot --webroot-path /var/common-le-root/ -d certonly
for some of my domains (actually I set the authenticator and webroot-path in cli.ini).

Running letsencrypt shows me that no installer is selected, letsencrypt certonly asks for domains as well as letsencrypt -i null (I’ve a script which runs after every letsencrypt run and checks whether services need to be restarted or not (based on the live certificates). Even setting renew-by-default did not changes anything.

How can I automate the renewal of issued certificates?

as far as I read it isnt implemented yet.

you could make some mods to the client and/or let it run as cron maybe that might help.

i put a multi script on root’s crontab, easy

An example:

crontab –e

@monthly /your_path/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d -d www. certonly && service apache2 reload

Content of cli.ini:
authenticator = webroot
webroot-path = /var/www/
server =
email =


i am doing the same as @mikeskril via webroot and cronjob for nginx web server


To be honest, I call the below script in crontab.

# Renew Let's Encrypt SSL cert

cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d -d certonly
if [ $? -ne 0 ]
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert"
        service apache2 reload
exit 0

Sweet.. thanks for that, I borrowed your idea too now :smiley:

1 Like

@eva2000 i like your script, but… if it fail to rennovate at 60 day send a mail to EMAIL in /etc/letsencrypt/webroot.ini.
what about first use expirydate and then letencrypt?
maybe more failsafe , example :
-cron launch a scripit every 3 day .

  • in this script something like :
    if expirydate<15 rennovate ssl else nothing
    (or writesomewhere expirydate so not call openssl to check)
    have to fail 4 time before
    if expirydate <5 send mail
    an also try to rennovate 2 times before ssl exipres
1 Like

ah interesting idea so to keep checking number of days till expiry before triggering an actual auto renew :slight_smile:

cheers @Nemis

I changed my cron file routine for letsencrypt ssl certificate auto renewal to check certificate expiry date every 9 days and run auto renewal only if certificate expiry date is less than 30 days. This will ensure if auto renewal fails for some reason on either side, that there’s 29/9 = ~ 3 more chances for auto renewal of ssl certificate :slight_smile:


Why not check every day/run? :smile:

the cron log would get pretty messy if you had say 100 domain/sites with ssl and each having their own cron running every day that’s an extra 100 entries per day

for my cron there’s auto email notification of failed renewals so you’d have up to 4 email notification if all initial + subsequent 3 auto renewals failed.

Maybe there’s a way to get it all to a single cronjob. :confused:

suppose could add all the cron files into a single wrapper script that runs on cron schedule

1 Like

Using this method had worked until about a day or two ago after running “git pull” to update my official LE client; I know get this error upon a renewal attempt:

letsencrypt: error: agree-dev-preview set to ‘True’ rather than a value

what’s going on now? is it related to the public beta or a client update or elsewhere? Thanks.

Don't use "agree-dev-preview".
It's deprecated

I thought about that and removed it from my cli.ini file but still receive the same exact error msg. my ini now consists of:

authenticator = webroot
webroot-path =
server =
email = postmaster@

and my sh script follows the above example.

should be

renew-by-default = True

made no difference; same error.

strange i am having no problems using webroot and renewal via webroot.ini see Let's Encypt Enters Public Beta

contents of my /etc/letsencrypt/webroot.ini

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
#server =

# for beta invitees
server =

# Uncomment and update to register with the specified e-mail address
email = myemail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

i define the webroot path on the command line

letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/ -d certonly