Let’s Encrypt Auto Renewal +Services +Reporting

A script that will automatically renew Let’s Encrypt certificates, reload services that use them, and send a log file by mail to the administrator.

Since jumping on the Let’s Encrypt bandwagon last December 2015, I completely forgot about my certificates until I received a renewal reminder the other day. Let’s Encrypt certificates need to be renewed every 90 days (read why) and renewal reminder is sent 18 days (in my case) before your certificates are about to expire. Although they are currently investigating their whole reminder process.

Not eager to go to the process of manually renewing the certificates more than four times a year, I wanted to automate the process (something Let’s Encrypt also recommends). I found a few one liners online which only partly address the problem. First of all, if something is automated, it needs to be safe, reliable and reviewable. Also, services that use these certificates need to be restarted/reloaded as symlinks in the /etc/letsencrypt/live directory are updated. To deal with all these issues, I wrote a small bash script that with the following features:

  • a dry run is performed as a check before doing anything persistent
  • the configuration of related services are checked and reloaded if successful
  • detailed renewal and Let’s Encrypt logs are sent by mail

This is the complete script that does the above:

#!/bin/bash
# renewcerts.sh - Renew Let's Encrypt certificates

# Variables to set for users
le_log="/var/log/letsencrypt/renew.log"
le_path="/dir/to/letsencrypt/certbot"
mail_addr="admin@example.com"

# Remove previous log file and perform a dry-run
rm -rf "${le_log}"
echo "=== DRY RUN ===" | tee -a "${le_log}"
"${le_path}" renew --dry-run --agree-tos | tee -a "${le_log}"

# If successful prefrorm true renewal
if [ $? -eq 0 ]; then
  echo "=== RENAWAL ===" | tee -a "${le_log}"
  "${le_path}" renew --agree-tos | tee -a "${le_log}"
  ls -ld $(find /etc/letsencrypt/archive) | tee -a "${le_log}"

  # Test and restart services
  echo "==== NGINX ====" | tee -a "${le_log}"
  nginx -t | tee -a "${le_log}"
  if [ $? -eq 0 ]; then
    nginx -s reload | tee -a "${le_log}"
  fi
  echo "=== POSTFIX ===" | tee -a "${le_log}"
  postfix check | tee -a "${le_log}"
  if [ $? -eq 0 ]; then
    postfix reload | tee -a "${le_log}"
  fi
  echo "=== DOVECOT ===" | tee -a "${le_log}"
  dovecot reload | tee -a "${le_log}"
fi

# Send full renewal report using mutt
echo "See attached log files." | mutt -s "[report] $HOSTNAME certificate renewal" -a "${le_log}" -a "/var/log/letsencrypt/letsencrypt.log" ${mail_addr}

Save the script and make sure it is executable chmod +x renewcerts.sh.

Note that you will need to update the script to match your configuration and preferences. For instance my services are: nginx, postfix and dovecot, but the might differ for you. Also I like using mutt to send a mail from the command-line.

Finally, enter the following line in your contrab (contrab -e), to make sure the auto-renewal takes place on the second day of every other month (uneven: Jan, Mar, May etc.) at 03:30 in the morning.

30 3 02 */2 * /path/to/renewcerts.sh

This should give you around 11 days before the reminder is issued and almost a month before the certificate expires. In short: enough time to fix any problems that might occur.

Recent Posts

Categories

koffieanon Written by:

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.