Last year I posted a simple script for keeping your Let’s Encrypt {{SSL}} certificates current.
In conjunction with my last post sharing the “best” SSL configs you can use with {{Apache}} on {{CentOS}}, here is the current state of the cron’d renewal script I use.
systemctl stop httpd.service systemctl stop postfix ~/letsencrypt/letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m user@domain.tld -d domain.tld # you can append more [sub]domains to a single cert with additional `-d` directives ([-d otherdomain.tld [-d sub.domain.tld...]]) #...repeat for every domain / domain group systemctl start httpd.service systemctl start postfix
I have this script running @weekly
in cron. You should be able to get away with doing it only every month or two .. but I like to err on the side of caution.
I’m stopping and starting {{Postfix}} in addition to httpd ({{Apache}} on my system) for only two reasons: first, I am using some of the LE-issued certs in conjunction with my Postfix install; second, because I don’t know if {{Dovecot}} and my webmail system need to make sure Postfix is restarted if underlying certs change.