How to Automatically Renew & Replace Let’s Encrypt SSL Certs
The free SSL certificates generated by Let’s Encrypt has the lifetime of only 90 days. In other words, it will expire in 3 months. Thus, the Let’s Encrypt SSL certificates have to be renewed every 90 days or earlier to avoid expiry.
As frequent renewal and regeneration of certificates is anticipated, Let’s Encrypt makes it very easy to request for a new replacement certificate, which is essentially by running the letsencrypt command again, and instruct it to renew the certificate:
letsencrypt renew
The command instruct Let’s Encrypt to attempt to renew all certificates lineages that have previously obtained if they are close to expiry (in less than 30 days), and print a summary of the results.
By default, renewing certificate will reuse the most recent successful options used to create obtain or renew each certificate lineage.
If you want to renew the certificates ignored the expiration time of existing certificates, i.e. renew all certificates even though it’s just been requested, use the following command:
letsencrypt --force-renew
For certificate bundle with multiple domains, only the base domain name is shown in any Let’s Encrypt output, but the renewal is done for all domains contained in the certificate.
Tip
You can test out the renewal process by running:
letsencrypt renew --dry-run
To renew only specific certificates instead of all, or to tweak the exact parameters used for renewal, “letsencrypt certonly” command allows more specific control of settings. For example to renew a single certificate:
All of the domains covered by the certificate must be specified in order to renew and replace the old certificate rather than obtaining a new one. Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate.
Remembering to renew every 90 days can be a tedious process. Hence, some form of automation is expected. In this case, a cron job will perform the task automatically a preset interval periodically to fetch a fresh SSL certificate valid for another 90 days.
To edit the crontab, issue the following command:
crontab -e
Add in the following line to create a new job that runs the Let’s Encrypt renewal command every week. As Let’s Encrypt only actually re-generate the certs if they’re less than 30 days away from expiration, so it’s safe to let cron job runs every week or even every day.
Save the crontab. The new cron task will execute letsencrypt-auto renew command every Sunday at 1:00 am, and log the output in a log file located at /var/log/letsencrypt/renew.log.
Note that after renewal of SSL certificates, you may need to restart the web server for the new SSL certs to take effect. As such, the the cron job may have to modify by using a script instead of direct command. For example:
#!/bin/sh
/opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1
LE_STATUS=$?
if [ "$LE_STATUS" != 0 ]; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
else
service httpd restart
fi
LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.
