Written on 20. Aug 2016, 11:54
I have been using SSL certificates that were issued and signed by Let's Encrypt for a few months now. Besides the fact, that those SSL certificates are signed for free and accepted and known by most of modern internet browsers and other applications (even OwnCloud recognizes them), there is one smaller impediment: the certificates are issued for three (3!) months and have to be renewed manually. I will describe in this article, how to perform automatic renewals by using Cron and only a few gimmicks. I wrote a shell script that performs the renewal process. It is based on the following assumptions:
#!/bin/sh # Path of the Lets Encrypt installation ledir=/home/jdoe/letsencrypt # Domain for SSL certificate domain=server.example.com # Email address to send emails to in case Lets Encrypt could not renew certificate email@example.com # Stop NGINX webserver sudo service nginx stop # Change to Lets Encrypt installation directory cd $ledir ./letsencrypt-auto --standalone -d $domain certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $email fi # Start NGINX webserver again sudo service nginx start exit 0Don't forget to make the script executable:
# chmod +x /etc/letsencrypt/le-renew.shRun the script manually to ensure that it is working:
# /etc/letsencrypt/le-renew.shIf it outputs the following text, you can be sure that the script is working:
Requesting root privileges to run with virtualenv: /home/jdoe/.local/share/letsencrypt/bin/letsencrypt --standalone -d server.example.com certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/server.example.com/fullchain.pem. Your cert will expire on 2016-06-23. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leThe SSL certificate was saved in /etc/letsencrypt/live/server.example.com/fullchain.pem and the webserver NGINX was restarted automatically. The last step now is to tell CRON that it should run the script every month:
# crontab -e @monthly /etc/letsencrypt/le-renew.shHere you go! Now you configured your Linux machine to renew your SSL certificate every month. In case it can't renew it, it will automatically send you an email to the email address configured in the script le-renew.sh. Sources: https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393
What is the content of this blog, you may ask? My name is Julian Joswig and I am a big fan of IT and technology (mainly Linux, servers, networks and all related topics). Sometimes I almost bite my teeth on difficult issues. But if I have found a solution, I want to share it with the world. Professionally, I work as a management consultant in Germany with a focus on IT and business.