Let’s Encrypt provides free SSL/TLS certificates to secure websites, and Certbot is the recommended tool for obtaining and managing these certificates. One of its best features is the ability to auto-renew certificates, ensuring uninterrupted encryption for your site.
In this guide, we’ll walk you through setting up auto-renewal for Let’s Encrypt certificates using Certbot.
Step 1: Install Certbot (If Not Already Installed)
Ensure Certbot is installed on your server. You can install it using the package manager for your OS:
For Ubuntu/Debian:
sudo apt update
sudo apt install certbot python3-certbot-nginx # For Nginx users
sudo apt install certbot python3-certbot-apache # For Apache users
For CentOS/RHEL:
sudo yum install certbot python3-certbot-nginx
Step 2: Verify Certbot Installation
Run the following command to check Certbot’s version and ensure it is installed correctly:
certbot --version
If Certbot is installed, it will display the version number.
Step 3: Test Certificate Renewal
Before setting up auto-renewal, ensure that manual renewal works:
sudo certbot renew --dry-run
If you see a “Congratulations” message, your certificates can be renewed without issues.
Step 4: Set Up Auto-Renewal Using Cron Jobs
Certbot’s renewal process can be automated using a cron job. Certbot typically installs a cron job automatically during setup, but if it isn’t configured, you can add one manually.
Create or Edit a Cron Job:
- Open the crontab file:
sudo crontab -e
- Add the following line to renew certificates twice daily:
0 0,12 * * * /usr/bin/certbot renew --quiet
0 0,12: Runs the command at midnight and noon daily.
--quiet: Suppresses output unless there’s an error.
- Save and exit the file.
Verify Cron Job Configuration:
To ensure the cron job is set up correctly, check the system logs:
sudo grep CRON /var/log/syslog
Step 5: Reload Web Server After Renewal
After renewal, Certbot doesn’t automatically reload your web server. To automate this, create a hook to reload your server after certificates are renewed.
Add a Hook in Certbot Configuration:
Edit the Certbot renewal configuration file:
sudo nano /etc/letsencrypt/renewal/YOUR-DOMAIN-NAME.conf
Add or modify the following line under the [renewalparams] section:
post_hook = systemctl reload nginx
Replace nginx with apache2 if you’re using Apache.
Alternatively, you can pass the --post-hook flag during renewal:
sudo certbot renew --post-hook "systemctl reload nginx"
Step 6: Check Renewal Logs
Certbot logs all renewal attempts. You can review the logs to ensure everything is working as expected:
sudo less /var/log/letsencrypt/letsencrypt.log
