January 9, 2020

LetsEncrypt Script to Auto Renew Certificates for Apache

Need a way to perform LetsEncrypt renewals automatically? This quick script is useful for those needing a good way to renew SSL certs with Apache without it just attempting to renew daily but rather a day threshold you specify.

LetsEncrypt Script to Auto Renew Certificates for Apache

Dealing with a lot of Apache hosts and using LetsEncrypt free SSL certificates can lead to a lot of manual renewing of the certs.

Some seem to just create a cron job to run certbot renew daily and it will renew once it gets within the 30 days. I don't like that approach myself so I wrote a script that you can set the parameter yourself and have the cron run however often you feel necessary, like once a week to narrow down the cert closer to it's actual expiration date.

This simple script is:

# Script to auto renew Lets Encrypt SSL certs based
# on defined # of valid days remaining.
# Valid for Apache installs, can be easily updated to support others.
# Written by agentpoyo 2019-12-27
# agentpoyo@gmail.com

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details. <http://www.gnu.org/licenses/>.

# Usage: ./le_auto_renew.sh <number>
# Example: ./le_auto_renew.sh 7   # Will renew the certificates if VALID days left is less than 7 days.

# Let's extract the valid # of days left:
DAYS=`certbot certificates | grep "Expiry Date" | cut -d"(" -f2 | cut -d" " -f2`

if [ "$DAYS" -lt "$NUM" ]; then
   echo "$DAYS is less than $NUM, time to renew!"
   /usr/bin/certbot renew --quiet
   /usr/sbin/apachectl graceful   # never hurts to do a graceful restart of apache
   echo "$DAYS valid days is greater than $NUM day(s) configured, no need to renew yet."

Right now this only works with those using LE with Apache and only have a single domain.

The idea behind this script is it grabs the "Expiry Date" from the current certificates and if you're passing the number of days left, it will renew if it is greater than.

The script is simply run like:

sh ./le_auto_renew.sh 7

The above example would renew if the Expiry Days is less than 7 days.

You can simply throw this in crontab to, customizing how you see fit. But the idea is I wanted my LE certificates to renew closer to the actual renew date and not exactly at the 30 days mark when they will allow the renewal to take place.

You can simply download the script directly from github by doing the following:

wget https://raw.githubusercontent.com/agentpoyo/scripts/master/le_auto_renew.sh

I've got a client that has multiple certs on the same Apache instance so I'm hoping to find the time to handle multiple certs that might have different Expiry Dates return from the lookup, only renewing those needing to be renewed.