Flawless Certbot Renewals Lets Encrypt Certificate Renewals using CRON
Flawless Certbot Renewals (Lets Encrypt Certificate Renewals) using CRON

Almost daily on the Let’s Encrypt Community Forums I see people having problems with certbot renewals using Cron. I have been finding that I am continually posting the same solution over and over again for people so instead thought I had just better create a post about it here.

You never want an SSL certificate to expire on you, when it does it can cause untold problems so having a proper automated renewal process is essential and it really is not rocket science.

To achieve flawless automated certbot renewals using cron, all you need to do is the following

Create a bash script called certbotrenew.sh

sudo nano /bin/certbotrenew.sh

This opens the nano text editor with a blank page

Paste the contents below into the file and change the email address to your own valid email address

#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service nginx reload" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" me@myemail.com < /var/log/certbot-renew.log
exit 0

Then hold down CTRL+X and type Y and ENTER to save the file

The example above does a renewal attempt using the -q flag which silences all output unless a renewal occurs or the certbot client updates itself during the renewal process. It makes use of a new flag called –renew-hook which will, in this example, reload my nginx web server IF and only IF a renewal occurred.

Now make the bash script executable

sudo chmod +x /bin/certbotrenew.sh

Now make the script run daily using cron

sudo crontab -e

paste the following line into cron at the bottom of the file

00 20 * * * /bin/certbotrenew.sh

type CTRL+X type Y and ENTER to install the new cron job

Your server will now run the certbot renewals checks every day at 8pm and email you the log file so you can see any errors or renewals that were done.

Can I run multiple –renew-hook flags?

Yes indeed you can use multiple –renew-hook flag. In this next example I tell certbot to reload multiple services if a renewal occured. In this case I restart Postfix, Dovecot and Apache.

#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service postfix reload" --renew-hook "service dovecot restart" --renew-hook "service apache2 reload" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" me@myemail.com < /var/log/certbot-renew.log
exit 0

What about other new hooks like –pre-hook and –post-hook?

Certbot also introduced new flags called –pre-hook and –post-hook. These new flags allow you to take total control of your services and your renewal scripts. For instance, if you wanted to, you could tell certbot to first stop Apache / Nginx before it renews using

--pre-hook "service nginx stop"

then do your renewals and then bring it back online with a –post-hook in the same command line

--post-hook "service nginx restart"

. I personally find the –renew-hook to suit my needs but the sky is the limit now for anyone wanting to do any advanced kind of scripting with renewals as it’s all built into certbot itself.

Simple, Flawless and Peace of Mind

Here’s to an SSL filled internet in 2017 😉

8 thoughts on “Certbot Renewals Flawlessly using CRON (Lets Encrypt)

  1. Hein Saris says:

    Hi,

    You can use –post-hook (make sure you have a recent version of certbot installed) to only reload nginx if at least one of the certificates has been renewed. Also, instead of adding an entry via crontab, you can put the script inside the /etc/cron.daily/ directory (at least on Ubuntu). I have mine in cron.weekly since the certificates are renewed if the are less than 30 days valid. But soing it every day is not a problem of course.

  2. just tryin says:

    Thanks for such a helpful post. I’ve used it with a slightly modified script to only email me either an error or renewal occurs. I’m sure there is a more eloquent way of doing this but just in case it helps someone:

    #!/bin/bash

    VAR=$(sudo certbot renew –quiet –renew-hook “service apache2 reload”)

    if [ -n “$VAR” ]; then
    # Renewed or error
    echo $VAR >> /var/log/certbot-renew.log
    mail -s “CERTBOT Renewals” root < /var/log/certbot-renew.log

    fi

    exit 0

    • Ubuntu Man says:

      Thanks Wesley and I agree some error methodology is much needed. I will test this out and update original post accordingly. Glad it helped you and thanks for helping to improve on it.

  3. Pingback: certbot https certificate renewal – whiscardz collection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.