Let’s Encrypt Renewal

Before my new let’s encrypt certificate expired I needed to setup an auto-renewal script.

If I were just renewing a certificate for a web server it would be slightly easier. The application that I’m protecting however requires a slightly more involved approach. I’m protecting a quassel-core which needs the fullchain and private key to all be saved into the quasselCert.pem file.

To start I setup a bash file to automate the process.

#!/bin/bash
service quasselcore stop
letsencrypt renew -n --agree-tos --force-renew
mv /var/lib/quassel/quasselCert.pem /var/lib/quassel/quasselCert.pem.old
cat /etc/letsencrypt/live/my_server/privkey.pem > /var/lib/quassel/quasselCert.pem
cat /etc/letsencrypt/live/me_server/fullchain.pem >> /var/lib/quassel/quasselCert.pem
service quasselcore start

This script stops the running quasselcore service. Then it requests a certificate renewal from letsencrypt. Using the “renew” will attempt to renew the certificate using the same method that originally requested the certificate. Once this is complete the renewed cert files will be saved to the default location of /etc/letsencrypt/live/my_server/. Assuming the renewal processed correctly my script then moved my last working certificate chain file to a .old file just in case. Then the private key and full cert chain is written to the quasselCert file. Now that the new cert is in place the script starts the quasselcore service again.

The let’s encrypt certificates expire every 90 days. To make sure that I don’t forget to login and run this renewal I schedule a cron job to do it automatically. I have a low privileged user to run quassel so I use that same account for the cron job. For the sake of this example lets call the user quser.

crontab -u quser -e

I enter the following line to scheduled the renewal to run the first day of every month.

0 0 1 * * /home/quser/renew_cert.sh

Done!

Leave a Reply

Your email address will not be published. Required fields are marked *