Will Let's Encrypt renew itself with the following crontab?

Hello

This is a follow-up question for the following topic: Wildcard SSL certificate with auto-renew.

It seemed that my local DNS-provider had a custom-made Bash-script which could be used in combination with Acme.sh to interact with their own DNS-API.

With the following command I successfully generated my Let's Encrypt certificate:

acme.sh --issue -d example.com -d *.example.com --dns dns_tigron

It generated a long output ending with:

[Tue 25 Jan 2022 03:04:45 AM CET] Your cert is in: /root/.acme.sh/example.com/example.com.cer
[Tue 25 Jan 2022 03:04:45 AM CET] Your cert key is in: /root/.acme.sh/example.com/example.com.key
[Tue 25 Jan 2022 03:04:45 AM CET] The intermediate CA cert is in: /root/.acme.sh/example.com/ca.cer
[Tue 25 Jan 2022 03:04:45 AM CET] And the full chain certs is there: /root/.acme.sh/example.com/fullchain.cer

And I linked it to my Nginx by adding the following lines to nginx.conf:

...
ssl_certificate /root/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/example.com/example.com.key;
...

This works perfectly! My website is now accessible by HTTPS.

However, does this mean I never have to think about my SSL-certificate anymore? Or will there be problems in 60 days when the certificate is expired?

Acme.sh added the following to my cronjob:

6 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Is that sufficient to automatically renew my SSL certificates?

It depends.
I'm not familiar with:

Was that a fully automated issuance?
Was it a one-time use or did it require any manual assistance?

Note that acme.sh defaults to the ZeroSSL CA nowadays, not Let's Encrypt.

You need to use the --install-cert with --reloadcmd parameter, so that it can reload/restart your nginx when renewal.

acme.sh --install-cert  -d example.com   --reloadcmd "service nginx force-reload"

That's not really much of an issue. I realized when I had to make a cert for a new subdomain. I issued the command. And then I waited. I waited a lot. I Ctrl-C'd the process. I issued the command again, with Let's Encrypt this time. I didn't wait. It was instant.

From experience I too have noticed a big difference in speed between the two ACME servers indeed.

The only 'manual' thing I had to do is making a global shell variable holding some token I had to make in the adminpanel of my DNS-provider.

Than I executed the command from my original post, and the certificate files were generated automatically.

Yeah I noticed. I got a timeout error using ZeroSSL. I executed the following command before issuing my certificates.

acme.sh --set-default-ca  --server  letsencrypt

Do I have to execute that command once on my VPS. Or do I have to put it in the cronjob manually?

That's a command you only run once per certificate. It does something very simple and very important, it tells acme.sh where to put your certificate and key, and what command to issue to make your webserver realize they've been renewed.

I say once per certificate because you might have more than one certificate on your server, for multiple subdomains using SAN, for example, or two certificates, RSA and ECC for the same domain.

the acme.sh help says, about a cronjob:

--install-cronjob
Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.

Okay. So I just need to do exactly what I did in my original post, put only add the --instal-cert and --reloadcmd "..."parameters to my command. I don't need to--issue` them again?

Or are issuing and installing different operations?

What is the difference between installing and issuing then?

Issue is actually making the certificate. It's an interaction between your client and Let's Encrypt servers.

Install happens completely on your server. It's just for your convenience and it copies your cert and key to some location on your machine where your webserver can read them, it can also reload the webserver to make it realize they've been renewed.

Talking about installing, please notice that acme.sh will not edit your nginx config to install the certificate, it will just copy the certificate and key and reload the service. You have to edit the configuration file for nginx yourself.

Sorry for my questions, and thank you for your patience. But I am not really following.

After executing this command acme.sh --issue -d example.com -d *.example.com --dns dns_tigron acme.sh automatically putted all the files for my certificate in /root/.acme.sh/example.com/. I manually edited my Nginx to link to those certificate-files.

My cronjob now contains the command to issue the certificates again, right? Wouldn't it be sufficient then to only add a command to restart nginx after the issuing then?

It's just for your convenience and it copies your cert and key to some location on your machine where your webserver can read them

Acme.sh does not have to move or copy the files to another location. Nginx can already find them.

it can also reload the webserver to make it realize they've been renewed.

This would be handy. Can I do that without Acme.sh moving/copying my certificate files?

It should call acme.sh and it will check if they need renewing, doing so if necessary.

You can check. crontab -l

You don't want to restart nginx, it will drop all active connections. You just need to reload it. Also, you only renew the certificate every two months, there is no point in reloading nginx twice a day because of this.

Yes, but it can be cleaner. You could put a copy of the certificate in /etc/nginx/ssl or someplace similar.

Yes, the command Neil gave you does exactly this. I was thinking of two more options, --fullchain-file and --key-file

Okay. So to summarize everything.
In the configuration I am now (working HTTPS and the situation described in my OP) the only command I have to execute is:

acme.sh --install-cert -d example.com --reloadcmd "service nginx force-reload"

And I am fine? I do not have to do the issuing again?

Have a look at the output of:
acme.sh --list

If the name(s) you need covered are listed, you don't need to reissue (an existing cert).
cron should run acme.sh to renew any expiring certs.

assuming the -d example.com part is correct, yes.

your cert is an RSA one, right? if you're using elliptic curves you need to add an --ecc option as well. (Probably not. What did you put for --keylength when you issued the certificate? If you didn't set one, ignore this paragraph.)

I don't know why "force-reload" instead of just "reload", actually.

Like @9peppe, I'm wondering why you'd do force-reload rather than just reload--in most environments, a reload will do what's needed. I don't know that force-reload would hurt anything, but I also don't think it'd be necessary.

Command I executed and it's output:

root@example:/home/example/.acme.sh# acme.sh --install-cert -d example.com -d *.example.com --reloadcmd "systemctl reload nginx"
[Sun 30 Jan 2022 03:46:38 AM CET] Run reload cmd: systemctl reload nginx
[Sun 30 Jan 2022 03:46:38 AM CET] Reload success
root@example:/home/example/.acme.sh#

crontab -l output:

6 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

acme.sh --list output:

Main_Domain  KeyLength  SAN_Domains  CA               Created                          Renew
example.com     ""         *.example.com   LetsEncrypt.org  Tue 25 Jan 2022 02:04:45 AM UTC  Sat 26 Mar 2022 02:04:45 AM UTC

Everything looks normal.