Share on facebook
Share on twitter

3 Steps to Setup auto renew for Let’s Encrypt SSL Certificates(Nginx)

In this  tutorial, I will show you how to renew your Let’s Encrypt certificates automatically on Nginx server. After this You don’t need to renew your letsencrypt SSL certificates manually. If you’re using an Apache Server then follow this tutorial here.

How to auto renew Let’s encrypt Certificates ?

Letsencrypt auto renewal set up process is a very easy and simple one, you just need to set up a cron job to automatically renew your certificates. But if I only show you the cron job part, later you may face some problems. That is why in this tutorial, you will find 3 steps which let you to set up a perfect auto renewal for your Let’s Encrypt SSL Certificate. So, Let’s get started


  • Before getting started with this tutorial, you should have Installed Let’s Encrypt SSL certificates on your Nginx server. If you not done that yet then follow this tutorial here(I am working on it).
  • Running  any Linux system with sudo or root privileges shell access.

There are lot of ACME client available for letsencrypt certificate installation but for simplicity we used Certbot.

Let’s get started,

Step 1: Determining Certbot type

It is very important to find out which type of Certbot you are using  at the time of  Letsencrypt SSL certificate installation. This is necessary because later you have to put different command in cron script, base on Certbot type.  There are two ways to install Certbot on a Linux server.

a) Using wget  :  As per certbot officials website this method is use for Debian 8, CentOS 6, RHEL 6, Ubuntu (>>16.04) version of Linux. If you used wget method  then you already have  a ‘certbot-auto’ directory in your server. Later we’ll need the location of that directory. Generally people download the certbot-auto in /usr/local/bin/certbot-auto directory. You may have downloaded it at /etc/letsencrypt or somewhere else.

If you forgot or delete it then execute the following lines from  SSH shell terminal.

sudo mv certbot-auto /etc/letsencrypt/certbot-auto
sudo chown root /etc/letsencrypt/certbot-auto
sudo chmod 0755 /etc/letsencrypt/certbot-auto

b) Installed from Linux repository : If you installed certbot using command like this

#For CentOS 7 or up
sudo yum install certbot python2-certbot-nginx
#For Debian 9 or up and Ubuntu 16.04 up
sudo apt-get install certbot python-certbot-nginx

Then it means that you installed certbot from Linux repository.

Step 2 : Renewing Letsencrypt certificates Automatically

In this step we will setup letsencrypt auto renew using Cron.

The cron is a software utility, offered by Linux-like operating system which automates the scheduled task at a predetermined time. It is a daemon process, which runs as a background process and performs the specified operations at the predefined time when a certain event or condition is triggered without the intervention of a user.

We are going to setup a scheduled task to execute certbot renew command at every weekend.

Certbot renew command attempts to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt. Since renew only renews certificates that are near expiry it can be run as frequently as you want – since it will usually take no action.

So, let’s  open crontab by executing following line on your Linux terminal.

sudo crontab -e

We have to use Root user crontab that is why we’re using sudo command. Only root user have the permission to execute certbot renew command. If you are wondering what is crontab then let me explain it to you, Crontab (cron table) is a just list of cron jobs which you may want to run on a schedule time.

You may be asked to select an editor. Select Nano or  /bin/nano if it’s available by typing its number and pressing Enter. Vi and other more advanced editors may be preferred by advanced users, but Nano is an easy editor to get started with.

Use the arrow keys or the page down key to scroll to the bottom of the crontab file in Nano. The lines starting with # are comment lines, which means that cron ignores them.

Now paste or type the following line according to your certbot type and Linux version. This code will run on every weekend at 3.00 am. When your letsencrypt SSL certificate left less than  30 days, the certbot renew command will renew you letsencrypt cert automatically.

For those, who use wget 

For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:

* 3 * * 6 cd /path/location && ./certbot-auto renew && /etc/init.d/nginx restart

For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:

* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart nginx

For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands

* 3 * * 6 cd /path/location && ./certbot-auto renew && service nginx restart

For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands

* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart nginx

For those, who Installed Certbot from Linux repository :

For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:

* 3 * * 6 certbot renew && /etc/init.d/nginx restart

For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:

* 3 * * 6 certbot renew && systemctl restart nginx

For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands

* 3 * * 6 certbot renew && service nginx restart

For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands

* 3 * * 6 cd certbot renew && systemctl restart nginx

Saving the File

Now, Press Ctrl-O and press Enter to save the crontab file in Nano. Use the Ctrl-X shortcut to close Nano after you’ve saved the file.

Step 3: Auto Renew Testing:

Though this part is optional but I recommand you to test your auto-renew cron script for errors. It will be a disaster if your Letsencrypt Certificate does not renew before expire, due to some error. 

Basic Testing using --dry-run:

For error checking we’ll  perform certbot renew --dry-run or path/location/certbot-auto renew --dry-run ——- a process in which the auto-renew script will be executed without actually renewing the certificates.

Execute the following lines on your Linux terminal,

For those, who use wget 

sudo -i 
cd /path/location && ./certbot-auto renew --dry-run && nginx-restart-command

For those, who Installed Certbot from Linux repository :

sudo -i 
certbot renew --dry-run && nginx-restart-command

Advance testing using --force-renew

In this advance testing section we’ll simulate the letsencrypt  auto certificate renewal process by using –force-renew command. As you already know that the certbot renew command only take action if your certificate has less than 30 days. But if we use it with “–force-renew” command then your certificate get renewed immediately. Remember that, you only can renew 5 certificates per week for a particular domain or subdomain.

1. Note the date of your current certificate

To view the current expire date of your let’s encrypt certificate, execute the following command on your terminal.

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem

Take note of the date and time when the certificate was issued – either paste it into notepad or write it down on a piece of paper.

2. Creating A Cron job

In this step we’ll create a cron job which will get executed after 6 minutes.

Execute the “date” command to know the current time  of your Linux server.

In this example my Linux server  time  showed 17:38:05. So, Let’s create a cron job at 17:44 (17:38 plus 6 minutes).

44 17 * * * cd /etc/letsencrypt/ && ./certbot-auto renew --force-renew && /etc/init.d/nginx restart

Don’t forget to change the time and Nginx restart command(as per as your Linux version).

3. Syslog log Checking

After the time at the front of the script has passed (17:44 in this example), check your system log to verify that the script has executed successfully.

To view the system log execute this command,

cat /var/log/syslog

If  the cron script appear in syslog then follow the next step, if not then wait few minutes and reopen the syslog.

4. Check if renewal was successful

Now, Lets again check the let’s encrypt certificate’s expire date,

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem

Now, compare the noted expiry date with the current expire date, if you are seeing any changes then you don’t have any error in your auto renewal script. If not then feel free to drop a comment in the below comment section.

Lastly don’t forgot to revert crontab script to default.

Now it is your time!

I tried my best to provide you a complete tutorial on how to renew your letsencrypt SSL Certificate automatically on a nginx server. I hope you liked it.

If you need help just drop a comment.

If you benefited from this tutorial, and would like to support my work, please like my Facebook page.


Leave a Comment

Your email address will not be published. Required fields are marked *