How to Auto-Renew Let's Encrypt SSL Certificates with certbot and crontab
I’ll introduce how to set up automatic renewal of free SSL certificates from Let’s Encrypt using certbot and crontab.
First, check if the certbot command is installed.
$ which certbot
If you don’t have the certbot command, install it.
$ sudo apt-get -y install certbot
[sudo] password for admin:
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot
If you get the E: Unable to locate package certbot error, add the repository with add-apt-repository ppa:certbot and then try installing again.
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
If this procedure still produces errors, please refer to:
to solve it.
Since we want to register the command in root user’s crontab, we want to manually execute it under the same conditions, so let’s become root user and then execute the command.
sudo su -
/usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"
After executing the command, let’s confirm that the Nginx process is running just in case.
$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2017-07-16 14:26:04 JST; 33s ago
Process: 9024 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 9062 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 9039 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 9072 (nginx)
Tasks: 2
Memory: 4.0M
CPU: 33ms
CGroup: /system.slice/nginx.service
├─9072 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
└─9075 nginx: worker process
Let’s confirm that the SSL certificate expiration date has been updated to 90 days later, just in case.
$ SSL_DOMAIN=yoursite.example.com
$ openssl s_client -connect $SSL_DOMAIN:443 < /dev/null 2> /dev/null | openssl x509 -text | grep 'Not After'
Not After : Oct 14 04:26:00 2017 GMT
sudo crontab -e
Add the following:
crontab to renew SSL certificate at 4:00 AM JST on the 1st of every month
# At 4:00 am on the 1st every month (JST)
00 19 1 * * /usr/bin/certbot renew --nginx --renew-hook "/bin/systemctl reload nginx"
Let’s confirm it’s properly registered in crontab just in case.
$ sudo crontab -l
# At 4:00 am on the 1st every month (JST)
00 19 1 * * /usr/bin/certbot renew --nginx --renew-hook "/bin/systemctl reload nginx"
I set up Let’s Encrypt SSL certificate auto-renewal midway through, but since I’m likely to forget and that’s scary, I recommend doing it from the beginning even though it’s troublesome.
That’s all from the Gemba where we wanted to auto-renew free SSL certificates from Let’s Encrypt.