Automating Certificate Renewal
Crontab is a handy little scheduler built in to Linux. With this we can have the server run anything we like, at a time that suits us. The formatting of crontab may seem pretty confusing, if this is your first time using it, but it isn’t too much of a dark art. See Crontab Guru for a nice interactive explanation on the values we’re going to use.
Before we add the command to schedule, test the renewal command is working. The output should look pretty similar to what we saw when we first requested the certificate.
sudo certbot renew --dry-run
To open up the crontab file, type the following, then add something like the below image to set the schedule.
sudo crontab -e
This setting will have the renew command run every Sunday morning at 5.27am. Random times are good as, if everyone picked the same time or more exacting times, it risks swamping the servers at Let’s Encrypt. It just helps stagger requests. It doesn’t matter if the certificate needs to be renewed or not, as the server will simply say shove off, if it’s not up for renewal. And that’s it. As crontab uses vi by default, enter lines by pressing the insert key first. Save the file with :w and exit with :q
And We’re Done
That’s it. Once again all ready to rock and roll. If you’ve read through this tutorial and think you’ll give it a bash, do also take a look at Let’s Encrypt’s article on how it all works. I have to say I’m pretty impressed at how painless it was to do, and now I have a https website (with nothing on it) for the price of air. Very much recommended.