Almost daily on the Let’s Encrypt Community Forums I see people having problems with certbot renewals using Cron. I have been finding that I am continually posting the same solution over and over again for people so instead thought I had just better create a post about it here.
You never want an SSL certificate to expire on you, when it does it can cause untold problems so having a proper automated renewal process is essential and it really is not rocket science.
To achieve flawless automated certbot renewals using cron, all you need to do is the following
Create a bash script called certbotrenew.sh
sudo nano /bin/certbotrenew.sh
This opens the nano text editor with a blank page
Paste the contents below into the file and change the email address to your own valid email address
#!/bin/bash cd /opt/certbot sudo ./certbot-auto renew --renew-hook "service nginx reload" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" email@example.com < /var/log/certbot-renew.log exit 0
Then hold down CTRL+X and type Y and ENTER to save the file
The example above does a renewal attempt using the -q flag which silences all output unless a renewal occurs or the certbot client updates itself during the renewal process. It makes use of a new flag called –renew-hook which will, in this example, reload my nginx web server IF and only IF a renewal occurred.
Now make the bash script executable
sudo chmod +x /bin/certbotrenew.sh
Now make the script run daily using cron
sudo crontab -e
paste the following line into cron at the bottom of the file
00 20 * * * /bin/certbotrenew.sh
type CTRL+X type Y and ENTER to install the new cron job
Your server will now run the certbot renewals checks every day at 8pm and email you the log file so you can see any errors or renewals that were done.
Can I run multiple –renew-hook flags?
Yes indeed you can use multiple –renew-hook flag. In this next example I tell certbot to reload multiple services if a renewal occured. In this case I restart Postfix, Dovecot and Apache.
#!/bin/bash cd /opt/certbot sudo ./certbot-auto renew --renew-hook "service postfix reload" --renew-hook "service dovecot restart" --renew-hook "service apache2 reload" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" firstname.lastname@example.org < /var/log/certbot-renew.log exit 0
What about other new hooks like –pre-hook and –post-hook?
Certbot also introduced new flags called –pre-hook and –post-hook. These new flags allow you to take total control of your services and your renewal scripts. For instance, if you wanted to, you could tell certbot to first stop Apache / Nginx before it renews using
--pre-hook "service nginx stop"
then do your renewals and then bring it back online with a –post-hook in the same command line
--post-hook "service nginx restart"
. I personally find the –renew-hook to suit my needs but the sky is the limit now for anyone wanting to do any advanced kind of scripting with renewals as it’s all built into certbot itself.
Simple, Flawless and Peace of Mind
Here’s to an SSL filled internet in 2017 😉