{"id":477,"date":"2015-12-30T09:35:40","date_gmt":"2015-12-30T14:35:40","guid":{"rendered":"http:\/\/muthii.com\/blog\/?p=477"},"modified":"2016-01-11T21:58:59","modified_gmt":"2016-01-12T02:58:59","slug":"automate-letsencrypt-certificate-renewal","status":"publish","type":"post","link":"https:\/\/muthii.com\/blog\/?p=477","title":{"rendered":"Automate letsencrypt certificate renewal"},"content":{"rendered":"<p>I recently switched from self signed certs to free SSL certs from <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\">letsencrypt <\/a>and for the first time I could load my https url without getting the annoying prompt from chrome due to self signed certificates. The only problem is the certs expire pretty fast in about 90 days as of this writing, while this is nothing to complain about since the certs are free handling the renewal each time manually would be a pain and also leave me in a bind in case I forgot to do it.<br \/>\nI decided to automate the renewal process to save myself the hassle of having to do it manually and found two resources <a href=\"https:\/\/eblog.damia.net\/2015\/12\/03\/lets-encrypt-automation-on-debian\" target=\"_blank\">here<\/a> and <a href=\"https:\/\/cuonic.com\/posts\/automating-lets-encrypt-certificate-renewal\" target=\"_blank\">here<\/a> on how to do it, I went with a combination of the two methods as my requirements were different.<br \/>\nI wanted the renewal to be run from a script to support email notification on success or failures which is similar to the first source and use the webroot plugin to perform renewal as it has lesser steps to perform renewal reducing any failure points during the process like the second source. The script needed to be able to run everyday and check cert expiration I didn&#8217;t want to hard code the cron job to run based on how long the certs are valid that way if letsencrypt changes the life of the certs no change is required on my side.<br \/>\nLet&#8217;s get started I won&#8217;t cover the install as that&#8217;s covered by <a href=\"https:\/\/letsencrypt.org\/howitworks\/\" target=\"_blank\">letsencrypt<\/a> site, I would advise you to read the different install methods and choose the one that best fits your needs.<br \/>\nAfter performing the install<br \/>\nCreate your config file which will contain the arguments submitted to letsencrypt api I named mine &#8220;muthii.com.ini&#8221;<br \/>\n<code lang=\"properties\"><br \/>\nrsa-key-size = 4096<br \/>\nserver = https:\/\/acme-v01.api.letsencrypt.org\/directory<br \/>\ntext = True<br \/>\nauthenticator = webroot<br \/>\nagree-tos = True<br \/>\nrenew-by-default = True<br \/>\nemail = root@domain.com<br \/>\nwebroot-path = \/your\/webserver\/path<br \/>\n<\/code><\/p>\n<p>Run the command used to create\/renew your certs, which creates the certs for you and shows you the path to find them.<br \/>\n[cc lang=&#8221;bash&#8221;]\/root\/.local\/share\/letsencrypt\/bin\/letsencrypt -c \/path\/muthii.com.ini -d muthii.com -d www.muthii.com auth[\/cc]<\/p>\n<p>Only run the above command if you haven&#8217;t created your certs or are ready to renew your current certs, otherwise just grab the script <a href=\"https:\/\/github.com\/samnjugu\/letsencryptAutoRenew\/blob\/master\/SSLRenew.sh\" target=\"_blank\">file<\/a> and add it to your cron. Make sure to change the emails and file paths based on your setup. I have commented out the echo statements and only enable then for testing<\/p>\n<p>For someone doing this for the first time locate your ssl.conf file used by your server and set the paths to the new certs<\/p>\n<p>SSLCertificateFile \/etc\/letsencrypt\/live\/domain.com\/cert.pem<br \/>\nSSLCertificateKeyFile \/etc\/letsencrypt\/live\/domain.com\/privkey.pem<br \/>\nSSLCertificateChainFile \/etc\/letsencrypt\/live\/domain.com\/fullchain.pem<\/p>\n<p>Once you are done setting up head over to <a href=\"https:\/\/www.ssllabs.com\" target=\"_blank\">SSLLabs<\/a> and test your certificate is recognized as expected, then setup a cron job to run the script daily .<\/p>\n<p><code lang=\"bash\">0 2 *  * * sh \/path\/SSLRenew.sh<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently switched from self signed certs to free SSL certs from letsencrypt and for the first time I could load my https url without getting the annoying prompt from chrome due to self signed certificates. The only problem is the certs expire pretty fast in about 90 days as of this writing, while this &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/muthii.com\/blog\/?p=477\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Automate letsencrypt certificate renewal&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,102,83,10],"tags":[145,147,146],"_links":{"self":[{"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/477"}],"collection":[{"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=477"}],"version-history":[{"count":10,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/477\/revisions"}],"predecessor-version":[{"id":488,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/477\/revisions\/488"}],"wp:attachment":[{"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/muthii.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}