In my how-to for Let’s Encrypt, I gave an example script that can be called via cron (or manually) which will renew Let’s Encrypt {{SSL}} certificates under {{CentOS}} 6.
If you want to do it on {{CentOS}} 7 (which is what I am now running), use the following:
cd ~/letsencrypt
git pull
systemctl stop httpd.service
~/letsencrypt/letsencrypt-auto --agree-tos --keep --rsa-key-size 2048 --standalone certonly -m user@domain.tld -d domain.tld [-d sub.domain.tld [-d ...]]
systemctl start httpd.service
Now, what does this script do? Step by step:
- clear-out the last grab of the Let’s Encrypt git repo (there’s probably a better way to do this, but I don’t know what it is)
- go to root’s home (
/root
) - clone-down the Let’s Encrypt toolset
- stop httpd ({{Apache}} in my case, though you might be running {{nginx}} or something else
- run the cert tool in automated form:
- agree to terms of service
- keep current cert if it doesn’t need to be updated
- key size of 2048 bits
- run the standalone webserver to verify “ownership” of the domain
- generate just the cert
- administrative email (optional, but “encouraged”)
- domain(s) to issue cert for (must be individually identified with successive -d flags; LE does not support wildcard certs)
- restart httpd
I set mine to run @weekly
in cron – @monthly
is likely good enough, but since it’s “free” to run, running slightly more than is necessary seems good to me. Plus, if you’re getting {{SSL}} certs for many domains all being served from the same server, they may have different expiration dates, so running more often is better.
My crontab entry for renewing certs:
@weekly /root/renew-le-ssl.sh
3 thoughts on “automated let’s encrypt ssl certificate renewal on centos 7”
Comments are closed.