upbeat.it

by Cesare Rocchi

How to auto-renew a Let's Encrypt certificate (and get notifications about it)

by Cesare Rocchi

Tags: ssl

Let’s Encrypt was still in beta when I started Podrover so I preferred to avoid any risk.

Now I am building Affiliator and Let’s Encrypt is not in beta anymore. Plus I like the “always be learning” spirit, so I gave it a shot.

I didn’t pick it because it’s free. I am not a fan of free. The beauty of Let’s Encrypt is that it comes as a binary program that you can run in the shell. This means:

  • no more need to access a website to download obscure files
  • no more need to find (or remember) where to put those files on your server

I am sold.

On my server I installed Let’s Encrypt

> sudo apt-get update
> sudo apt-get install letsencrypt

And then ran

sudo letsencrypt certonly -a webroot --webroot-path=/affiliator/public -d beta.affiliator.com 

I was prompted to enter an email address. Let’s Encrypt is nice and will warn you via email a few weeks before the certificate expires. The command generated all the files into

/etc/letsencrypt/live/beta.affiliator.io

Then I configured Nginx.

server { 
  listen                 443;
  ssl                    on;
  ssl_certificate        /etc/letsencrypt/live/beta.affiliator.io/fullchain.pem;
  ssl_certificate_key    /etc/letsencrypt/live/beta.affiliator.io/privkey.pem;
  ...
}

I was ready to call it a day when a smart neurone bumped into another smart neurone, generating the question: what about certificate renewal?

Renewing a certificate

Commercial certificates usually last at least one year. The renewal involves again logging into a website, downloading obscure files and placing them in the right place. With Let’s Encrypt the renewal is easy peasy:

sudo letsencrypt renew

This will find expired certificates on the machine, and renew them if needed. But there’s a catch. At the moment a Let’s Encrypt certificate lasts exactly 90 days. Here’s the discussion about why. A few weeks before the expiration date Let’s Encrypt will send you a reminder via email. Every time you’ll need to:

  • ssh into the machine
  • renew the certificate
  • restart the web server

If you have just one machine it’s feasible. If you have ten or more, you’ll be doing the process above every 2-3 days. Not nice. The solution: automation!

Auto-renewing certificates

You could solve with a simple cron

0 2 * * 2 /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renewal.log

This runs the script every two weeks and with a second cron you could restart the web server. But I like to stay up to date with what happens on my machines. I already have a bunch of scripts that build some reports and send them to a private Slack room. So I built another script that notifies me when the renewal of the SSL is attempted and if it is successful.

I could have used a bash script, but my machines have Ruby already installed so I took advantage of that.

#!/usr/bin/env ruby

require 'slack/poster'

result = `sudo letsencrypt renew`
poster = Slack::Poster.new(WEB_HOOK_URL)
poster.send_message "Result is #{result}"

When cron executed this script in Slack I saw

Result is 

meaning that the output of the command was not stored in the variable.

The catch is in to the sudo statement. If you run this script in a shell you’ll be prompted for a sudo password, and you don’t want that when a script is meant to be run by cron.

Luckily there’s a pretty nice solution. When you define the rules for sudoers (users with sudo permissions) you can also declare exceptions for certain scripts.

I use Ubuntu so I added this to /etc/sudoers

myuser ALL=NOPASSWD: /usr/bin/letsencrypt

This means

Don’t ask for a sudo password even if this script contains commands that would usually require a sudo password

Now the rest is easy. Schedule it once a week and you are set.

0 0 1,8,15,22 * * /bin/bash -l -c '/path/to/update_ssl.sh'

NOTE: the web server will keep on using the old certificate until you restart it. I didn’t automate this step yet, because I want to see how well this solution works.

It’s true, software developers should have sysadmin experience.

Let me know what’s your solution to this problem. I am curious.