Julian Joswig: IT Blog

Automatic renewal for Let's encrypt certificates

Written on 20. Aug 2016, 11:54

I have been using SSL certificates that were issued and signed by Let's Encrypt for a few months now. Besides the fact, that those SSL certificates are signed for free and accepted and known by most of modern internet browsers and other applications (even OwnCloud recognizes them), there is one smaller impediment: the certificates are issued for three (3!) months and have to be renewed manually. I will describe in this article, how to perform automatic renewals by using Cron and only a few gimmicks.  I wrote a shell script that performs the renewal process. It is based on the following assumptions:

  • The webserver used is NGINX
  • You use the standard path, where Let's Encrypt stores the SSL certificates, directly in your webserver configuration
Please find the shell script below. Copy it and store it in the following path: /etc/letsencrypt/le-renew.sh
# Path of the Lets Encrypt installation

# Domain for SSL certificate

# Email address to send emails to in case Lets Encrypt could not renew certificate

# Stop NGINX webserver
sudo service nginx stop

# Change to Lets Encrypt installation directory
cd $ledir
./letsencrypt-auto --standalone -d $domain certonly

if [ $? -ne 0 ]
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $email

# Start NGINX webserver again
sudo service nginx start

exit 0
Don't forget to make the script executable:
# chmod +x /etc/letsencrypt/le-renew.sh
Run the script manually to ensure that it is working:
# /etc/letsencrypt/le-renew.sh
If it outputs the following text, you can be sure that the script is working:
Requesting root privileges to run with virtualenv: /home/jdoe/.local/share/letsencrypt/bin/letsencrypt --standalone -d server.example.com certonly

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/server.example.com/fullchain.pem. Your
   cert will expire on 2016-06-23. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
The SSL certificate was saved in /etc/letsencrypt/live/server.example.com/fullchain.pem and the webserver NGINX was restarted automatically. The last step now is to tell CRON that it should run the script every month:
# crontab -e
@monthly /etc/letsencrypt/le-renew.sh
Here you go! Now you configured your Linux machine to renew your SSL certificate every month. In case it can't renew it, it will automatically send you an email to the email address configured in the script le-renew.sh. Sources: https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393

Julian Joswig

Julian Joswig Facebook Julian Joswig LinkedIn Julian Joswig Twitter Julian Joswig XING

About this Blog

What is the content of this blog, you may ask? My name is Julian Joswig and I am a big fan of IT and technology (mainly Linux, servers, networks and all related topics). Sometimes I almost bite my teeth on difficult issues. But if I have found a solution, I want to share it with the world. Professionally, I work as a management consultant in Germany with a focus on IT and business.

Newest Articles:

Article Archive:

Twitter Timeline: