Auto Renew SSL/TLS Certificates

auto-renew-ssl-tls-certificates

Let’s Encrypt is a certificate authority offering free SSL/TLS certificates for HTTPS connections.

Certbot is a free, open-source tool that automates Let’s Encrypt certificate handling, including obtaining and renewing them every 90 days.

Once certbot is operating on a system, it sets a systemd timer to automatically renew certificates, ensuring continual security for dependent websites and services. Check timer schedules on Ubuntu with systemctl list-timers, and find certbot’s timer details with systemctl cat certbot.timer.

To view and check the renewal dates for Let’s Encrypt certificates, use sudo certbot certificates. To manually renew all certificates, run sudo certbot renew.

If there isn’t any timer created for your certificates, then you can create it manually.

Creating certbot renew timer

If your system uses systemd, you can create a timer to schedule the renewal. First, create a service file for Certbot:

sudo nano /etc/systemd/system/certbot-renew.service

add the following code to the service file:

[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet

Next, create the corresponding timer file:

sudo nano /etc/systemd/system/certbot-renew.timer

add the following code:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00:00:00
OnCalendar=*-*-* 12:00:00
Persistent=true

[Install]
WantedBy=timers.target

Enable the timer to start on boot and then start it immediately:

sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer

after that, you can check the status of the timer to make sure it’s active:

sudo systemctl list-timers | grep certbot

now you can test that the service works properly with:

sudo systemctl start certbot-renew.service

That’s all, your Certbot renewals are set to happen automatically. Once the scheduled task is in action, you can just let it do its thing without worrying about it.