Renewing your Let’s Encrypt Certificate

It wouldn’t be too far fetched to imagine Captain Kirk yelling out “Cronnnnnnnnn! Cronnnnnnnnnn!”.

Recommended: Don’t use Let’s Encrypt! Make use of Cloudflare’s Origin Certificates. They are Free and have expirations in years, not three months.

Just keeping a sense of humor to an area that has caused many of us some frustration. Making sure our certificate(s) renews correctly. Here are some aMiSTACX tips to make sure auto-renewal and manual Let’s Encrypt certificate renewals are successful.

[These steps pertain specifically to aMiSTACX AMIs.]

To make sure Let’s Encrypt works flawlessly for certificate auto-renewals. We first have to make sure everything is set up correctly from the very beginning.

Important! Cron and this outline will NOT work when using Cloudflare with the CDN “ON”.  It is best NOT to use Let’s Encrypt for production systems.

Tip! G5 stacks need to use certbot, not certbot-auto.

Auto-Renewal:

1. Make sure you use a real active email account when validating the certificate registration process. If you don’t use a real one, and there are certificate renewal issues, you won’t get the reminder emails that your certificate is set to expire.

2. Make sure the cerbot renewal cron job is setup correctly.

To run the renewal cert check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo nano /etc/crontab -e

Your text editor will open the default crontab which is a text file. Paste in the following line at the end of the file [as shown], then save and close it:

11 4 * * * root /usr/bin/certbot-auto renew --quiet

Note: The 11 4 * * * part of this line means “run the following command at 4:11 am, every day”. You may choose any time.

Manual Renewal:

If your certificate has already expired or is about to expire, follow these steps to get back up and running.

1. First make sure if you are using Cloudflare that you set the name of the DNS that you are about to renew to CDN OFF, which is the Grey Cloud.

Note: Make sure port 80 is open to all traffic [Only required for the renewal. Port 80 is obsolete and really doesn’t need to be open to inbound traffic.]

2. If your cert has not yet expired this should renew your cert(s) from CLI:

sudo certbot-auto renew

3. If you have issues, you can use the same command format as your domain that already has the certificate.

After confirming the DNS and your vhost is correct, to get your free certificate from let’s encrypt – CLI:

sudo certbot-auto –apache -d yourdomain.com

Or

sudo certbot-auto –apache -d subdomain.yourdomain.com

4. After you renew your certificate, you can place Cloudflare back to orange. Keep in mind that cron auto renew will fail when a CDN is ON. You don’t want to have your CDN set to OFF.

You can check your Ubuntu’s syslog for any issues pertaining to the cron job.

/var/log/syslog