I use Let's Encrypt TLS certificates on my Debian servers along with the Certbot tool. Since I use the "temporary webserver" method of proving domain ownership via the ACME protocol, I cannot use the cert renewal cronjob built into Certbot.
Instead, this is the script I put in
#!/bin/bash /usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop apache2.service" --post-hook "/bin/systemctl start apache2.service" pushd /etc/ > /dev/null /usr/bin/git add letsencrypt DIFFSTAT="$(/usr/bin/git diff --cached --stat)" if [ -n "$DIFFSTAT" ] ; then /usr/bin/git commit --quiet -m "Renewed letsencrypt certs" echo "$DIFFSTAT" fi popd > /dev/null
It temporarily disables my Apache webserver while it renews the certificates and then only outputs something to STDOUT (since my cronjob will email me any output) if certs have been renewed.
Since I'm using etckeeper to keep track of config changes on my servers, my renewal script also commits to the repository if any certs have changed.
In order to catch mistakes or oversights, I use ssl-cert-check to monitor my domains once a day:
ssl-cert-check -s fmarier.org -p 443 -q -a -e email@example.com
In other words, I get notified:
- if my cronjob fails and a cert is about to expire, or
- as soon as a new cert is issued.
The whole thing seems to work well, but if there's anything I could be doing better, feel free to leave a comment!