3 Steps to Setup auto renew for Let’s Encrypt SSL Certificates(Apache)
In this tutorial, I will show you how to renew your Let’s Encrypt certificates automatically on Apache server. After this You don’t need to renew your letsencrypt SSL certificates manually. If you’re using a Nginx Server then follow this tutorial here.
How to auto renew Let’s encrypt Certificates ?
Letsencrypt auto renewal set up process is a very easy and simple one, you just need to set up a cron job to automatically renew your certificates. But if I only show you the cron job part, later you may face some problems. That is why in this tutorial, you will find 3 steps which let you to set up a perfect auto renewal for your Let’s Encrypt SSL Certificate. So, Let’s get started

There are 3 steps in this tutorial:
Want Exclusive Tutorials?
Prerequisites
- Before getting started with this tutorial, you should have Installed Let’s Encrypt SSL certificates on your Apache or Nginx server. If you not done that yet then follow this tutorial here(I am working on it).
- Running any Linux system with sudo or root privileges shell access.
There are lot of ACME client available for letsencrypt certificate installation but for simplicity we used Certbot.
Let’s get started,
Step 1: Determining Certbot type
It is very important to find out which type of Certbot you are using at the time of Letsencrypt SSL certificate installation. This is necessary because later you have to put different command in cron script, base on Certbot type. There are two ways to install Certbot on a Linux server.
a) Using wget https://dl.eff.org/certbot-auto : As per certbot officials website this method is use for Debian 8, CentOS 6, RHEL 6, Ubuntu (>>16.04) version of Linux. If you used wget method then you already have a ‘certbot-auto’ directory in your server. Later we’ll need the location of that directory. Generally people download the certbot-auto in /usr/local/bin/certbot-auto directory. You may have downloaded it at /etc/letsencrypt or somewhere else.
If you forgot or delete it then execute the following lines from SSH shell terminal.
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /etc/letsencrypt/certbot-auto
sudo chown root /etc/letsencrypt/certbot-auto
sudo chmod 0755 /etc/letsencrypt/certbot-auto
b) Installed from Linux repository : If you installed certbot using command like this
#For CentOS 7 or up sudo yum install certbot python2-certbot-apache #For Debian 9 or up and Ubuntu 16.04 up sudo apt-get install certbot python-certbot-apache
Then it means that you installed certbot from Linux repository.
Our Latest Posts
Step 2 : Renewing Letsencrypt certificates Automatically
certbot renew
command at every weekend.
Certbot renew command attempts to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt. Since renew
only renews certificates that are near expiry it can be run as frequently as you want – since it will usually take no action.
So, let’s open crontab by executing following line on your Linux terminal.
sudo crontab -eWe have to use Root user crontab that is why we’re using sudo command. Only root user have the permission to execute
certbot renew
command. If you are wondering what is crontab then let me explain it to you, Crontab (cron table) is a just list of cron jobs which you may want to run on a schedule time.
You may be asked to select an editor. Select Nano or /bin/nano if it’s available by typing its number and pressing Enter. Vi and other more advanced editors may be preferred by advanced users, but Nano is an easy editor to get started with.

For those, who use wget https://dl.eff.org/certbot-auto
For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:* 3 * * 6 cd /path/location && ./certbot-auto renew && /etc/init.d/apache2 restart
For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:
* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart apache2.service
For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands
* 3 * * 6 cd /path/location && ./certbot-auto renew && service httpd restart
For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands
* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart httpd.service
For those, who Installed Certbot from Linux repository :
For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:
* 3 * * 6 certbot renew && /etc/init.d/apache2 restart
For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:
* 3 * * 6 certbot renew && systemctl restart apache2.service
For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands
* 3 * * 6 certbot renew && service httpd restart
For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands
* 3 * * 6 cd certbot renew && systemctl restart httpd.service
Saving the File
Now, Press Ctrl-O and press Enter to save the crontab file in Nano. Use the Ctrl-X shortcut to close Nano after you’ve saved the file.
Step 3: Letsencrypt Auto Renew Testing:
Though this part is optional but I recommand you to test your auto-renew cron script for errors. It will be a disaster if your Letsencrypt Certificate does not renew before expire due to some error.
Basic Testing using --dry-run:
For error checking we’ll perform certbot renew --dry-run
or path/location/certbot-auto renew --dry-run
——- a process in which the auto-renew script will be executed without actually renewing the certificates.
Execute the following lines on your Linux terminal,
For those, who use wget https://dl.eff.org/certbot-auto
sudo -i cd /path/location && ./certbot-auto renew --dry-run && apache-restart-command
For those, who Installed Certbot from Linux repository :
sudo -i
certbot renew --dry-run && apache-restart-command
Advance testing using --force-renew
In this advance testing section we’ll simulate the letsencrypt auto certificate renewal process by using –force-renew command. As you already know that the certbot renew command only take action if your certificate has less than 30 days. But if we use it with “–force-renew” command then your certificate get renewed immediately. Remember that, you only can renew 5 certificates per week for a particular domain or subdomain.
1. Note the date of your current certificate
To view the current expire date of your let’s encrypt certificate, execute the following command on your terminal.
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem
Take note of the date and time when the certificate was issued – either paste it into notepad or write it down on a piece of paper.
2. Creating A Cron job
In this step we’ll create a cron job which will get executed after 6 minutes.
Execute the “date” command to know the current time of your Linux server.

In this example my Linux server time showed 17:38:05. So, Let’s create a cron job at 17:44 (17:38 plus 6 minutes).

44 17 * * * cd /etc/letsencrypt/ && ./certbot-auto renew --force-renew && /etc/init.d/apache2 restart
Don’t forget to change the time and Apache restart command(as per as your Linux version).
3. Syslog log Checking
After the time at the front of the script has passed (17:44 in this example), check your system log to verify that the script has executed successfully.
To view the system log execute this command,
cat /var/log/syslog
If the cron script appear in syslog then follow the next step, if not then wait few minutes and reopen the syslog.
4. Check if renewal was successful
Now, Lets again check the let’s encrypt certificate’s expire date,
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem
Now, compare the noted expiry date with the current expire date, if you are seeing any changes then you don’t have any error in your auto renewal script. If not then feel free to drop a comment in the below comment section.
Lastly don’t forgot to revert crontab script to default.
Now it is your time!
I tried my best to provide you a complete tutorial on how to renew your letsencrypt SSL Certificate automatically. I hope you liked it.
If you need help just drop a comment.
If you benefited from this tutorial, and would like to support my work, please like my Facebook page.
Thanks,