Let’s Encrypt has become ubiquitous. I’ve been using it for quite a while now and have been happily renewing when the reminder email comes in every 75 days. Well, I’m tired of that now. I know that because I seem to wait longer and longer before doing the renew (sometimes waiting to the last day). Time to automate!
Some people report that newer images of Ubuntu setup cron for you. Maybe my image predates that, but that wasn’t the case for me. My initial image was 14.04.5 LTS. It’s not difficult to schedule
cron to do it for me though.
First, check certificate expiry time to verify the current due date. That will allow us to tell the renewal works when the data changes:
# Check expiration of the current certificate; replace foo.com with your domain
notBefore=Jul 11 02:28:20 2018 GMT
notAfter=Sep 10 02:28:20 2018 GMT
Edit your cron file:
sudo crontab -e
Add a new entry:
45 3,9 * * * /home/ubuntu/certbot-auto renew
This schedules the
certbot-auto command to attempt a renew at 3:45 and 9:45 each day. The
certbot-auto command will determine if it is time to renew. If not, then nothing happens – no call is made to Let’s Encrypt servers. If it is getting near renewal time (within 30 days), then it will do the typical renewal for us.
In my entry, the Apache restart is not triggered – the restart is unnecessary, since the new certificate is symlinked in the Apache site config file.
After the scheduled task has run once, check the new certificate’s valid-dates with the same
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/foo.com/cert.pem
Let’s Encrypt logs actions taken which you may find useful:
sudo tail /var/log/letsencrypt/letsencrypt.log