Let’s encrypt auto-update

First of all, what is let’s encrypt? You can find more details here https://letsencrypt.org/how-it-works/

” The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. “

Previously in the year of 2018 you had to create a cron job to renew the let’s encrypt certificates, but it has changed in the year 2019. In the case of using Let’s Encrypt is a simple way and free

##Repository add
sudo add-apt-repository ppa:certbot/certbot
##Install certbot with nginx
sudo apt-install python-certbot-nginx
##Executing this command will insert the new cert to your nginx server
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email itengineersblog@gmail.com -d szeles.me
## - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/szeles.me/fullchain.pem

You have received your Let’s Encrypt certificate for free and this certificate will expire within 3 months, however, you don’t have to do anything else in the near future. Why? Because of managed by certbot. Run the following code:

systemctl list-timers

Here you can find the certbot.timer

cd /lib/systemd/system
nano certbot.timer

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

It will execute the following command:

nano certbot.service

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

The certbot.timer will execute the certbot service-t at midnight and noon (within a random time frame in 12 hours.) This will execute the renew cmd.

ExecStart=/usr/bin/certbot –q renew

In case of system.d has been blocked the cronjob will run.

At the end of the code you can see first the systemd will be tested and in case it has been blocked, will the cron job run only.

Leave a Reply

Your email address will not be published. Required fields are marked *