As frequent renewal and regeneration of certificates is anticipated, Let’s Encrypt makes it very easy to request for a new replacement certificate, which is essentially by running the letsencrypt command again, and instruct it to renew the certificate:
The command instruct Let’s Encrypt to attempt to renew all certificates lineages that have previously obtained if they are close to expiry (in less than 30 days), and print a summary of the results.
By default, renewing certificate will reuse the most recent successful options used to create obtain or renew each certificate lineage.
If you want to renew the certificates ignored the expiration time of existing certificates, i.e. renew all certificates even though it’s just been requested, use the following command:
To renew only specific certificates instead of all, or to tweak the exact parameters used for renewal, “letsencrypt certonly” command allows more specific control of settings. For example to renew a single certificate:
letsencrypt certonly -d techjourney.net -d www.techjourney.net
Remembering to renew every 90 days can be a tedious process. Hence, some form of automation is expected. In this case, a cron job will perform the task automatically a preset interval periodically to fetch a fresh SSL certificate valid for another 90 days.
To edit the crontab, issue the following command:
Add in the following line to create a new job that runs the Let’s Encrypt renewal command every week. As Let’s Encrypt only actually re-generate the certs if they’re less than 30 days away from expiration, so it’s safe to let cron job runs every week or even every day.
0 1 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt/renew.log
Save the crontab. The new cron task will execute letsencrypt-auto renew command every Sunday at 1:00 am, and log the output in a log file located at /var/log/letsencrypt/renew.log.
Note that after renewal of SSL certificates, you may need to restart the web server for the new SSL certs to take effect. As such, the the cron job may have to modify by using a script instead of direct command. For example:
#!/bin/sh /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 LE_STATUS=$? if [ "$LE_STATUS" != 0 ]; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1 else service httpd restart fi