Is this a stupid way of using systemd/python to automatically renew expiriging letsencrypt certificates

My plan is to use systemd’s timers to monthly check expiring certs and renew them. Here are my files:


Description=Check monthly for which certs are expiring and renew them




Description=Renew the Let's Encrypt TLS certificates for expiring domains



#!/usr/bin/env python3

import glob
from datetime import datetime
import re
from  subprocess import Popen, PIPE, STDOUT, call

restart = False
certs = glob.glob('/etc/letsencrypt/live/*/fullchain.pem')
now =
search = re.compile('DNS:([a-z\.]*)')
for cert in certs:
    expires = call(['openssl', 'x509', '-in', cert, '-checkend', '2592000'])
    if expires:
        p2 = Popen('openssl x509 -in ' + cert + ' -text -noout', shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
        certText ="utf-8")
        domains = search.findall(certText)
        domainArgs = ''
        for domain in domains:
            domainArgs = domainArgs + ' -d ' + domain
        command = './letsencrypt-auto --renew certonly --agree-tos --server --webroot --webroot-path=/etc/letsencrypt/webroot' + domainArgs
        success = call(command, shell=True)
        if success == 0:
            print('Certificates updated')
            restart = True
            print('Lets Encrypt was unsuccesful')
if restart == True:
    call(['systemctl', 'restart', 'nginx'])

I’m wondering if I can make the letsencrypt.service file restart nginx depending on the exit code of my python script? But systemd’s documentation seems spread across several sources.

systemd’s stand here is that if you need more complex logic you should wrap it into a shellscript or similar. So just let your python script run systemctl reload nginx?

Btw Unit= is only needed when the name differs, foo.timer will start foo.service by default.

So I should leave the restarting of nginx (if the certs have been updated) in the python script?

Yes, sorry was editing my reply a bit to clarify that point