January 2, 2017

Automatic Renewal of Let's Encrypt Certificates

Since a couple of months I deliver all my websites by HTTPS only. Certificates are issued by Let’s Encrypt and I use Certbot as a certification client (hope that is the correct word). This works quite well, actually.

However, the certificates from Let’s Encrypt have one drawback: they expire after 90 days. Hence, you need to renew the certificate now and then. The description from the Certbot page does not work for me as the renew verb of the certbot command would create one certificate (with many common names) for all pages served by the server. I do not want that. Every webpage shall have its own certificate.

After some tests, I figured you have to use the force-renew and quiet parameter plus the d flag, which tells certbot which domain name should be included into the certificate. You maybe end up with a script like this one:


# determine path of script; cd to this path
myPath="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd $myPath

# update certbot to the latest version
rm certbot-auto
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto

# call certbot for each of the web projects you need a certificate for
./certbot-auto certonly --apache --force-renew --quiet -d holger.tk -d www.holger.tk
./certbot-auto certonly --apache --force-renew --quiet -d secondsite.tk -d www.secondsite.tk
./certbot-auto certonly --apache --force-renew --quiet -d yetanothersite.tk -d www.yetanothersite.tk

service apache2 restart

You can trigger the script via cron every ten days or so:

0  0  */10 * * /root/scripts/certbot/renew.sh

© ho1ger 2015 - 2022