Article

AWS Ubuntu 14.04 Image: add CRON job to renew Let’s Encrypt certificate on Apache

Let’s Encrypt has become ubiquitous. I’ve been using it for quite a while now and have been happily renewing when the reminder email comes in every 75 days. Well, I’m tired of that now. I know that because I seem to wait longer and longer before doing the renew (sometimes waiting to the last day). Time to automate!

Some people report that newer images of Ubuntu setup cron for you. Maybe my image predates that, but that wasn’t the case for me. My initial image was 14.04.5 LTS. It’s not difficult to schedule cron to do it for me though.

First, check certificate expiry time to verify the current due date. That will allow us to tell the renewal works when the data changes:

Edit your cron file:

Add a new entry:

This schedules the certbot-auto command to attempt a renew at 3:45 and 9:45 each day. The certbot-auto command will determine if it is time to renew. If not, then nothing happens – no call is made to Let’s Encrypt servers. If it is getting near renewal time (within 30 days), then it will do the typical renewal for us.

In my entry, the Apache restart is not triggered – the restart is unnecessary, since the new certificate is symlinked in the Apache site config file.

After the scheduled task has run once, check the new certificate’s valid-dates with the same openssl command:

Let’s Encrypt logs actions taken which you may find useful:

Comments Closed.