Automatically Renew Let's Encrypt SSL certificates using Cron Jobs
Let's Encrypt SSL/TLS Certificates
I have talked about using Let's Encrypt SSL/TLS Certificates on GoDaddy-hosted sites. That blog was rather a walk-around, since the actual power of Let's Encrypt certificates lies in its short lifetime and the automatic “creation, validation, signing, installation, and renewal” capability. The resulting tools, e.g. Certbot, provides an implementation of the Automated Certificate Management Environment (ACME) protocol, which Godaddy simply does not support. So, Let's encrypt is a certificate authority (CA), which issues free SSL certificates lasted only for 90 days in order to “limit damage from key compromise and mis-issuance”. The ACME protocol and clients implement automated management which may further reduce human operator errors.
Auto-renew with cron jobs
After switching my site to another hosting service which I have root previlege, it became possible to automate the SSL certificates related tasks. Cron, which is a job-scheduling utility in Unix-like systems, was my first choice. There are two programs related to the cron utility,
cron on macOS) and
crond is a daemon process which reads the crontab files and executes the listed tasks at their designated times.
crontab is a utility program managing the crontab files. For example,
crontab -l lists the crontab file of the current user,
crontab -e edits the current crontab file if it exists or otherwise creates an empty one.
crontab -u user manages the crontab file of another user.
Since the apache server needs to be restarted after the renewal of SSL certificates, I wrote a simple bash script
/home/abc/bin/le-renew.sh whose content is listed as follows,
#!/bin/bash letsencrypt renew --apache --noninteractive apachectl -k graceful
Then, by command
sudo crontab -e, the crontab file of the root user can be edited and the following line is inserted.
00 01 * * * /home/abc/bin/le-renew.sh >> /var/log/le-renew.log
The syntax for the crontab file is
* * * * * command-to-execute
in which the asterisks represent
minute(0-59) hour(0-23) day(1-31) month(1-12) weekday(0-6). So the renewal crontab basically says that the certificates are checked/renewed at 1 o'clock each day, and results are appended into the log file /var/log/le-renew.log.