Renewing your Let’s Encrypt Certificate

It wouldn’t be too far fetched to imagine Captain Kirk yelling out “Cronnnnnnnnn! Cronnnnnnnnnn!”.

Just keeping a sense of humor to an area that has caused many of us some frustration. Making sure our certificate(s) renews correctly. Here are some aMi STACX tips to make sure auto-renewal and manual Let’s Encrypt certificate renewals are successful.

[These steps pertain specifically to aMi STACX AMIs.]

To make sure Let’s Encrypt works flawlessly for certificate auto-renewals. We first have to make sure everything is set up correctly from the very beginning.

Auto-Renewal:

1. Make sure you use a real active email account when validating the certificate registration process. If you don’t use a real one, and there are certificate renewal issues, you won’t get the reminder emails that your certificate is set to expire.

2. Make sure the cerbot renewal cron job is setup correctly.

To run the renewal cert check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo nano /etc/crontab -e

Your text editor will open the default crontab which is a text file. Paste in the following line at the end of the file [as shown], then save and close it:

11 4 * * * root /usr/bin/certbot-auto renew --quiet

Note: The 11 4 * * * part of this line means “run the following command at 4:11 am, every day”. You may choose any time.

Manual Renewal:

If you certificate has already expired or is about to expire, follow these steps to get back up and running.

1. First make sure if you are using CloudFlare that you set the name of the DNS that you are about to renew to CDN OFF, which is the Gray Cloud.

2. If your cert has not yet expired this should renew your cert(s) from CLI:

sudo certbot-auto renew

3. If you have issues, you can use the same command format as your domain that already has the certificate.

After confirming the DNS and your vhost is correct, to get your free certificate from let’s encrypt – CLI:

sudo certbot-auto –apache -d yourdomain.com

Or

sudo certbot-auto –apache -d subdomain.yourdomain.com

Note: For our LEMP/NGINX EC2 stacks, please see the admin guide for certificate instructions.

3. After you renew your certificate, you can place CloudFlare back to orange.

4. Re-check your cron settings so that your certificate auto-renews.

5. Make sure no outbound firewall rules are impacting Let’s Encrypt’s renewal.

You can check your Ubuntu’s syslog for any issues pertaining to the cron job.

/var/log/syslog

That’s it! All should be on autopilot now.

Leave a Reply