In this tutorial, we will show you how to Auto Renew Let’s Encrypt SSL Certificates on your Linux server. For those of you who didn’t know, Let’s Encrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges.
Let’s Encrypt SSL certificates will get expired after 90 days of installation and you must renew them before it gets expired. If you have installed certificates using certbot then it must have already created a cronjob to auto-renew certificates. For custom installation, you can create a similar cronjob too. Let’s learn how certbot’s auto-renew job works.
Prerequisites
- A server running one of the following operating systems: Ubuntu or any other Debian-based or RHEL-based distribution.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Auto Renew Let’s Encrypt SSL Certificates
Step 1. Certbot Renew Command.
Certbot comes with a script to renew existing certificates. You can test the renewal script with a single dry run like below:
sudo certbot renew --dry-run
If above test succeeds then create a cron job that will run this script for configured intervals.
Step 2. Certbot Auto-Renew Cron Job.
When you install certificates using certbot it automatically creates cron job to renew certificates. You can check this cron job depending on your operating system. For example in Debian certbot auto-renew cronjob can be found at /etc/cron.d/certbot:
nano /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Congratulations! You have successfully renewed Let’s Encrypt Certificates. Thanks for using this tutorial for auto-renew Let’s Encrypt SSL Certificates on the Linux system. For additional help or useful information, we recommend you check the official Let’s Encrypt website.