I wrote a blog post about my setup using the webroot method for renewals: https://www.bytopia.dk/blog/2015/11/09/automatic-renewal-of-lets-encrypt-issued-certificates/
Basically I use the following script to renew all letsencrypt certificates when they are about to expire in 4 weeks:
#!/bin/bash
if [ ! -d /etc/letsencrypt/live ]; then
exit 1
fi
function issueCert {
/root/.local/share/letsencrypt/bin/letsencrypt certonly --renew-by-default --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory --authenticator webroot --webroot-path /var/www/acme $1
}
exitcode=1
while IFS= read -r -d '' cert; do
if ! openssl x509 -noout -checkend $((4*7*86400)) -in "${cert}"; then
subject="$(openssl x509 -noout -subject -in "${cert}" | grep -o -E 'CN=[^ ,]+' | tr -d 'CN=')"
subjectaltnames="$(openssl x509 -noout -text -in "${cert}" | sed -n '/X509v3 Subject Alternative Name/{n;p}' | sed 's/\s//g' | tr -d 'DNS:' | sed 's/,/ /g')"
domains="-d ${subject}"
for name in ${subjectaltnames}; do
if [ "${name}" != "${subject}" ]; then
domains="${domains} -d ${name}"
fi
done
issueCert "${domains}"
exitcode=0
fi
done < <(find /etc/letsencrypt/live -name cert.pem -print0)
exit ${exitcode}