Let's Encrypt SSL certificates renewal automation

Let's Encrypt SSL certificates renewal automation main picture

WARNING This article assumes that you have SSL certificates from Let's Encrypt and you are tired of renewing them manually.

Let's Encrypt is awesome service which brings security to our websites for free. SSL certificates used to be very pricey - hundreds of dollars per year, but with Let's Encrypt they became free.

This instruction will work for Nginx, but I think you can easily change it to work with Apache as well.

There is no "magic" in programming and our automation script will run on schedule with cron.

First SSH into your server and run this command to open cron editor:

sudo crontab -e

Then insert this line into cron file:

00 00 * * * /usr/bin/certbot renew --noninteractive --standalone --rsa-key-size 4096 --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/letsencrypt-renew.log

First 5 symbols * * * * * are representing cron scheduling. In our case 00 00 * * * means that script will run everyday at midnight. If you are new to cron and want different schedule, you can generate proper values with online crontab generator.

Don't worry, it won't renew your SSL certificate everyday. It will check if you have certificates that are about to expire first and only then renew those. Also this schedule gives our renewal script plenty of time before expiration to renew certificates even if it fail couple of times during the process.

Here is a list of params we use:

--noninteractive - will not show prompts in terminal;

--rsa-key-size 4096 - RSA key size, by default it's 2048; bigger key brings more security and slower handshake on initial web page loading, so be careful with this value;

--pre-hook "service nginx stop" - stop Nginx before renewal, if you use different web server, just put command to stop it here;

--post-hook "service nginx start" - start Nginx after renewal, it will bring your web servers back online;

>> /var/log/letsencrypt-renew.log - will print certbot logs in file, it's a good idea to check those logs time to time.

That's it, now you can sleep without worrying about SSL certificates renewal.

Thanks for reading, hope this article will save you some time!

See you soon and keep hacking 😉