My name is Philipp C. Heckel and I write about nerdy things.
This site moved here recently from blog.philippheckel.com!

Snippet 0x0D: Let’s Encrypt – 5 min guide to set up cronjob based certificate renewal


Administration, Code Snippets, Linux, Scripting, Security

Snippet 0x0D: Let’s Encrypt – 5 min guide to set up cronjob based certificate renewal


Let’s Encrypt was officially released to the open public today. That means the Internet can finally get free, trusted SSL/TLS certificates. This quick guide shows how to set up Let’s Encrypt with auto-renewal through a cronjob — using the simp_le client, an alternative client developed by one of the same authors who develop the official client.


Content


Updates

Feb 2016: The new version of simp_le requires a -f account_key.json argument. I’ve updated the post accordingly.

Feb 2017: Unfortunately, the original simp_le project has been abandoned by the original author. This fork still works fine though. I have changed all the links, and it should just work.

1. Install the simp_le client

On your web server, clone the simp_le client and install it in a sensible directory (e.g. /opt/simp_le). Then run the installation steps as provided in the README.md:

2. Generate a keypair and retrieve signed certificate

Once the installation is done, everything else is super easy. All you need is a location for your keys and certificates, as well as the publicly available document root for your website. I store my certificates and keys in /srv/cert, with a subfolder for each domain, e.g. /srv/cert/example.com, and my document root is at /srv/www/example.com/html.

This command automatically generates a keypair, creates a certificate request and gets that signed by Let’s Encrypt. It also verifies your domain ownership by creating a file in the document root at http://example.com/.well-known/.... So let’s look at the key and certificate:

3. Configure your web server

Now configure the SSL/TLS certificate in your web server. For me, that’s Apache. The configuration for the virtual host looks like this:

And finally, restart Apache with service apache2 restart and you can access your website via HTTPS! Easy, right?

4. Automating certificate renewal via cronjob

The wonderful thing about the simp_le client is that the command for the initial creation and the renewal is the same, so you can run the exact same command as above in a script from a cronjob. I created a script called /srv/bin/cert-renew to do just that:

This will renew the certificates for two domains (if necessary) and reload Apache if the certificate has been renewed. Note that Apache will not be reloaded if the certificate has not been altered.

The matching cronjob looks like this:

That’s it! Now every night at 1:43am, your certificates are checked and renewed if necessary.

A. About this post

I’m trying a new section for my blog. I call it Code Snippets. It’ll be very short, code-focused posts of things I recently discovered or find facinating or helpful. I hope this helps.

4 Comments

  1. Dave Jones

    Hi Phillip,

    I just wanted to say a quick thank you for producing this guide.

    Really well written and super helpful for those, like me, who are experimenting with Lets Encrypt but don’t want to turn over full control of NGINX and/or Apache.
    Just being able to fetch the certs and have them auto-renew is awesome.

    Thanks again and Happy New Year!
    Dave J



  2. Arjen

    You may wish to check on your cronjob. This site is using an expired LE certificate… :-)



Leave a comment

I'd very much like to hear what you think of this post. Feel free to leave a comment. I usually respond within a day or two, sometimes even faster. I will not share or publish your e-mail address anywhere.