How to Set up Letsencrypt Auto Renewal

Letsencrypt.org issued SSL certificates are valid for 90 days and you will need to renew it manually to continue using the certificates.

As I am writing this, there is no automatic renewal option in the letsencrypt package so we will need to set up something to do it for us.

The command to renew letsencrypt certificate manually is:

/path/to/letsencrypt-client/letsencrypt-auto renew

in the above command, you need to replace path/to/letsencrypt-client with the actual path.

if you have followed this nodeBB letsencrypt tutorial, this command will be

/opt/letsencrypt/letsencrypt-auto renew

if your domain is not eligible for renewal you will get a message like this:

Checking for new version...
Requesting root privileges to run letsencrypt...
 /root/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
 /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

What we can do to automate letsencrypt certificate renewal is to set up a cron job to do it for us at regular intervals. This cron job will periodically run the above-mentioned command to renew the SSL certificate for our domain.

To set up a cron we need to edit the crontab.

To edit crontab run following command:

sudo crontab -e

If this is the first time you are editing crontab it may ask you to select your favorite editor. Here we will select nano by typing the digit in front of it and pressing enter.

crontab nano

This will open the crontab file in nano.

Add the following line to the bottom of the file if you are using Nginx web server:

30 2 * * 1  /path/to/letsencrypt-client/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1  /etc/init.d/nginx reload

or if you are using Apache web server add these lines:

30 2 * * 1  /path/to/letsencrypt-client/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1  /etc/init.d/apache2 reload

Remember to change the /path/to/letsencrypt-client with the actual path of your letsencrypt client folder in the above lines or the renewal will fail.

save the file by pressing control+O

exit nano by pressing control+X and then enter.

You have now successfully edited the crontab.

What this cron will do is to run the letsencrypt renewal script at 2:30 am every Monday and restart the webserver at 2:35 am.

The output of the process will be saved in the log file we set up in the crontab i.e.

/var/log/le-renewal.log

You can check the log file to know what’s happening whenever this cron is running.

That’s it.