Certbot: auto-renew LetsEncrypt certificate on cron

Certificates renewal can be difficult to automate leading to errors that will mark the website as “Insecure”.

Before continue, ensure you haven’t the /etc/cron.d/certbot file launching:

less /etc/cron.d/certbot

If a crontab appear, you already have an automatic renew enabled via a certbot plugin like nginx or apache (the preferred method) and you shouldn’t do nothing.

The following will apply to standalone method, a small webserver provided by Let’s Encrypt that will listen the 80 port, without any existing auto-renew cron script. It’s very useful in cases where a plugin for your webserver is not available, like haproxy.

In this case, here’s how to automate certificate renewal with nginx as webserver:

sudo nano /etc/cron.d/certbot-custom

And then add to the crontab these lines pressing A to edit:

37 02 * * * root certbot -q renew --pre-hook="systemctl stop nginx" --post-hook="systemctl start nginx"

The root before certbot is the user who will run the command.

Every day at 02.37 the certificate will be asked for renewal in quiet mode to avoid to spam on root mailbox, especially useful if you use external SMTP server for system mails on Linux.

After you’ve typed these lines, type:

:wq

To write and quit. The /etc/cron.d/certbot-custom file will be easily accessible and maintainable compared to crontab -e, but it is a valid method too. If you use crontab -e, do it as root and do not add root after the last *.

To exactly mimic the certbot cron plugin, transform the line on /etc/cron.d/certbot-custom file to:

37 02 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --pre-hook="systemctl stop nginx" --post-hook="systemctl start nginx"

Before run, all paths will be checked, and a random wait will be added. If your webserver requires additional commands, create a script to be executed in –post-hook.

Other Linux distributions

If you’re using a different Linux OS you can locate certbot-auto using the following command:

whereis certbot

And then you can use it on the crontab.

You’ve also to use the alternative of systemctl for your system to refresh the certificates on the webserver.

If you’ve to do get your first certificate, here you can get more information about how to install free Let’s Encrypt certificates on nginx.

When auto-renew certificates

Since certificates lasts for about three months, you can tell crontab to run this every week instead every day accordingly.

Adding the 0 on the 5th position will tell crontab to run the command every Sunday at 2 AM (2nd position) and 37 minutes (1st position).

If you find this syntax difficult you can use crontab.guru to easily generate the crontab.

Updated on august 16th, 2019

Advertisements

2 thoughts on “Certbot: auto-renew LetsEncrypt certificate on cron

  1. 37 02 * * 0 /usr/local/sbin/certbot-auto renew
    39 02 * * 0 /usr/bin/systemctl reload nginx
    srsly? 😀
    how about
    0 0 2 * * root /usr/local/sbin/certbot-auto renew –pre-hook “service nginx stop” –post-hook “service nginx start”

    • Hi mars, thank you for your comment. Since the article was outdated, I’ve updated the article with the methods I use right now and changing from certbot-auto (it doesn’t exists anymore) to certbot with the quiet option.

      Some notes on your cron line:
      1) Your cron will be executed one day in a month, it’s better to check one day every week or more frequently if something goes wrong (and to avoid to receive the 20 days before expire mail from let’s encrypt)
      2) service is outdated (now is an alias), you should use systemctl instead (like cron.d provided by cronbot does)
      3) midnight usually is very packed and should be avoided
      4) your cron is in the cron.d format, not in crontab -e. However, it is very maintainable compared to crontab -e, so I switch the howto to a custom cron.d instead of crontab -e.

      A detailed howto, that was already updated, is on if you are interested:
      https://chirale.org/2017/02/27/free-ssl-certificates-and-how-to-install-on-nginx-in-10-steps/

      Have a nice day and thank you for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s