Certificate Management and Automatic Renewal Setup
1. Checking current certificates
Command certbot certificates
Let's start with something simple: how to find out what certificates are already installed on your server? Let's Encrypt provides a handy tool — certbot. Using the certbot certificates command, you can get detailed information about your current certificates.
sudo certbot certificates
The output will look something like this:
Found the following certs:
Certificate Name: example.com
Domains: example.com www.example.com
Expiry Date: 2023-12-31 10:00:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
Here you'll see important details:
- Certificate name.
- Domains covered by the certificate.
- Expiry date (so you can renew it on time).
- Paths to the certificate and private key files.
Useful lifehack:
If you're in the habit of ignoring expiry notifications, this command will become your best friend. Nobody wants to be the programmer who finds out about an expired certificate from angry users.
2. Automatic Certificate Renewal
Under the Hood of Let's Encrypt
Let's Encrypt certificates are valid for 90 days to minimize security risks. But manually renewing them every 3 months? That's not practical. Luckily, there's a built-in command for automation:
sudo certbot renew
This process checks all certificates and automatically renews those that are close to expiration.
Setting Up Auto-Renewal with Cron
Cron is a built-in task scheduling tool in Linux. It runs commands on a schedule, which is exactly what we need to automate certificate renewal. Here's how to set up Cron for renewal:
Open the
Croneditor for the current user:sudo crontab -eAdd the following line to the end of the file:
0 0 * * * certbot renew --quietThis command runs
certbot renewevery day at midnight. The--quietflag suppresses unnecessary output, so the renewal happens quietly without bothering anyone.Save the changes and exit the editor.
Now your server will automatically renew certificates, and you don’t have to worry about expiration (well, almost).
3. Manual Certificate Renewal
Sometimes automation doesn't solve all the problems, and you have to renew certificates manually. For example, if you just added a new domain to your site configuration, you'll need to request a new certificate manually. Here's where certbot comes to your rescue:
Command Example:
sudo certbot renew
Renewing a Certificate for a Specific Domain
If you need to renew a certificate linked to a specific domain, you can use the following request format:
sudo certbot certonly --nginx -d example.com -d www.example.com
Here:
--nginxspecifies that the configuration will be automatically applied to the Nginx server. For Apache, use--apache.- The
-dflags list the domains for which the certificate needs to be issued.
Once you run the command, Certbot will check the server configuration, request a new certificate, and set it up.
4. Notifications and Monitoring
Email Notifications
When installing Certbot, it asked for your email address. If you provided it, you'll get notifications 20 days before your certificate expires. If you didn’t provide an email or want to update it, here’s how you can do it:
sudo certbot register --update-registration --email newaddress@example.com
Now, no situation will catch you off guard. Well, almost.
External Check
There are third-party services that can help you track certificate expiration. For example, SSL Labs. Just enter your website's address, and the service will check its certificate, including the expiration date, trust chain, and security level.
5. Deleting Unnecessary Certificates
Sometimes old certificates become outdated, like if you’ve stopped supporting a specific domain. To keep your system clean, it’s better to delete them.
Command to delete:
sudo certbot delete
Certbot will show the list of available certificates and let you choose which one to delete.
Pro Tip:
Be careful when deleting certificates to avoid accidentally taking down a working site. Always double-check that the certificate is no longer in use anywhere.
6. Examples and Debugging Errors
Post-Update Check
After any changes or certificate updates, always check that the site is working correctly. The easiest way to do this is using curl:
curl -I https://example.com
Expected result — code HTTP/1.1 200 OK.
If something went wrong, check the logs first:
For Nginx:
sudo tail -f /var/log/nginx/error.logFor Apache:
sudo tail -f /var/log/apache2/error.log
Common Error: "Too Many Requests"
If you request new certificates too often, Let's Encrypt might block your access with the error "Too Many Requests." In such cases, it's recommended to use the Let's Encrypt staging server:
sudo certbot certonly --test-cert --nginx -d example.com
This command issues a test certificate, which isn't valid for real-world use but helps verify the configuration.
7. Final Step: Automatic Web Server Restart
Let's Encrypt updates certificate files, but web servers like Nginx or Apache don't notice changes until you restart them. This can also be automated. Update the cron job:
0 0 * * * certbot renew --quiet && systemctl reload nginx
Or for Apache:
0 0 * * * certbot renew --quiet && systemctl reload apache2
Now after renewal, any certificate will be applied to the server immediately.
This lecture is aimed at helping you sleep soundly at night, knowing that your certificates update automatically, your sites are secure, and you won't get a call from your boss at 3 AM saying "Users are complaining the site is down." Certificate management is an essential skill that will come in handy in real-world work, especially if you plan on deploying large-scale web applications or working in DevOps engineering.
GO TO FULL VERSION