If you have ever setup free ssl certificates provided by let's encrypt for your site then it is of utmost importance to auto renew certificates or else visitors will get greeted with nasty ssl security exception error. Let's encrypt SSL certificates will get expired after 90 Days of installation and you must renew it before it get expired. If you have installed certificates using certbot then it must have already created cronjob to auto renew certificates. For custom installation you can create similar cronjob too. Lets learn how certbot's auto renew job works.
Certbot Renew Command
Certbot come with script to renew existing certificates. You can test renewal script with single dry run like below.
$ sudo certbot renew --dry-run
If above test succeeds then create a cron job that will run this script for configured intervals.
Certbot Auto Renew Cron Job
When you install certificates using certbot it automatically creates cron job to renew certificates. You can check this cron job depending on your operating system. For example in Debian certbot auto renew cronjob can be found at /etc/cron.d/certbot
. You can refer certbot documentation to check the location of cron job for your operating system. This cronjob contains following code.
$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
How Certbot's Auto Renew Script Works ?
This cron job would get triggered twice every day to renew certificate. Line certbot -q renew
will check if certificate is getting expired in next 30 days or not. If it is getting expired then it will auto renew it quietly without generating output. If certificate is not getting expired then it will not perform any action. While renewing certificate it will use same information provided during certificate creation such as email address, domain name, web server root path etc.