I use Let's Encrypt TLS certificates on my Debian servers along with the Certbot tool. Since I use the "temporary webserver" method of proving domain ownership via the ACME protocol, I cannot use the cert renewal cronjob built into Certbot.
To disable the built-in cronjob, I ran the following:
systemctl disable certbot.service
systemctl disable certbot.timer
Then I put my own renewal script in /etc/cron.daily/certbot-renew
:
#!/bin/bash
/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop apache2.service" --post-hook "/bin/systemctl start apache2.service"
pushd /etc/ > /dev/null
/usr/bin/git add letsencrypt ejabberd
DIFFSTAT="$(/usr/bin/git diff --cached --stat)"
if [ -n "$DIFFSTAT" ] ; then
/usr/bin/git add letsencrypt ejabberd .etckeeper
/usr/bin/git commit --quiet -m "Renewed letsencrypt certs"
echo "$DIFFSTAT"
fi
popd > /dev/null
# Generate the right certs for ejabberd and znc
if test /etc/letsencrypt/live/jabber-gw.fmarier.org/privkey.pem -nt /etc/ejabberd/ejabberd.pem ; then
cat /etc/letsencrypt/live/jabber-gw.fmarier.org/privkey.pem /etc/letsencrypt/live/jabber-gw.fmarier.org/fullchain.pem > /etc/ejabberd/ejabberd.pem
fi
cat /etc/letsencrypt/live/irc.fmarier.org/privkey.pem /etc/letsencrypt/live/irc.fmarier.org/fullchain.pem > /home/francois/.znc/znc.pem
It temporarily disables my Apache webserver while it renews the certificates and then only outputs something to STDOUT (since my cronjob will email me any output) if certs have been renewed.
Since I'm using etckeeper to keep track of config changes on my
servers, my renewal script also commits to the repository if any certs have
changed. To keep the lock file out of git, I put the following in /etc/.gitignore
:
/letsencrypt/.certbot.lock
Finally, since my
XMPP server
and
IRC bouncer
need the private key and the full certificate chain to be in the same file,
so I regenerate these files at the end of the script. In the case of
ejabberd, I only do so if the certificates have actually changed since
overwriting ejabberd.pem
changes its timestamp and triggers an
fcheck notification (since it
watches all files under /etc
).
External Monitoring
In order to catch mistakes or oversights, I use ssl-cert-check to monitor my domains once a day:
ssl-cert-check -s fmarier.org -p 443 -q -a -e francois@fmarier.org
The whole thing seems to work well, but if there's anything I could be doing better, feel free to leave a comment!