Tech Monger

If you have ever setup free ssl certificates provided by let's encrypt for your site then it is of utmost importance to auto renew certificates or else visitors will get greeted with nasty ssl security exception error. Let's encrypt SSL certificates will get expired after 90 Days of installation and you must renew it before it get expired. If you have installed certificates using certbot then it must have already created cronjob to auto renew certificates. For custom installation you can create similar cronjob too. Lets learn how certbot's auto renew job works.

Certbot Renew Command

Certbot come with script to renew existing certificates. You can test renewal script with single dry run like below.

$ sudo certbot renew --dry-run

If above test succeeds then create a cron job that will run this script for configured intervals.

Certbot Auto Renew Cron Job

When you install certificates using certbot it automatically creates cron job to renew certificates. You can check this cron job depending on your operating system. For example in Debian certbot auto renew cronjob can be found at /etc/cron.d/certbot. You can refer certbot documentation to check the location of cron job for your operating system. This cronjob contains following code.

$ cat /etc/cron.d/certbot

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot  -a \! -d /run/systemd/system &&  perl -e 'sleep int(rand(43200))' &&  certbot -q renew

How Certbot's Auto Renew Script Works ?