LetsEncrypt: add cron job renew script - for certificate autorenew

NethServer Version: 7.0
Module: nethserver-letsencrypt

Hello,

I am looking for the automatic renewal certificate via nethserver-letsencrypt module on nethserver 7.0. I found these doc below:

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-letsencrypt.html

1.) My question now is how practically to use the cron job, for example can I just create a bash/shell script as explained above and just run it every 29 or 30 days to auto-renew the certificate?

2.) I found also this config file on nethserver under this pwd, should I have to change or update any information on that script or just use it as it is?

/usr/libexec/nethserver/letsencrypt-certs

** #!/usr/bin/perl**

use esmith::ConfigDB;
use esmith::HostsDB;
use File::stat;
use esmith::event;
use Getopt::Std;

my $cdb = esmith::ConfigDB->open();
my $ddb = esmith::HostsDB->open_ro();

my $crtdir = “/etc/letsencrypt/”;
my $crtdir_backup = “/etc/letsencrypt.autobackup/”;
my $lebin = “/usr/bin/certbot”;
my $config = “”;
my $verbose = 0;
my $testing = 0;
my $force = 0;
our $mail = ‘’;
our $modified = 0;
# Certificate for FQDN
our @domains = ();

$SIG{INT} = &restore;
$SIG{TERM} = &restore;

sub restore {
** if ( -d $crtdir_backup) {**
** # restore backup cert dir**
** if ($verbose) {**
** print “Restoring $crtdir …\n”;**
** }**
** system(“rm -rf $crtdir”);**
** system(“mv $crtdir_backup $crtdir”);**
** }**
}

sub renew {
** my $domains = shift;**

** my $opts = " certonly --webroot --webroot-path /var/www/html/ --text --non-interactive --agree-tos ";**
** if (!$mail) {**
** $opts .= " --register-unsafely-without-email "**
** } else {**
** $opts .= " --email $mail "**
** }**

** # file paths**
** my $crt = crtdir."/live/".lc({$domains}[0])."/cert.pem";**


** # read the date of certificate link before renewal**
** my $tmp = stat($crt);**
** my $before = defined($tmp) ? $tmp->mtime : 0;**


** my $cmd = “$lebin $opts”;**

** foreach (@$domains) {**
** cmd .= " -d _ ";**
** }**

** if ($force) {**
** $cmd .= " --force-renewal ";**
** }**

** if ($testing) {**
** $cmd .= " --test-cert ";**
** }**

** if (!$verbose) {**
** $cmd .= " --quiet >/dev/null";**
** } else {**
** $cmd .= " -v “;**
** print $cmd.”\n";**
** }**
** my $ret = system($cmd);**

** if ($testing) {**
** restore();**
** exit $ret>>8;**
** }**

** # read the date of certificate link after renewal**
** $tmp = stat($crt);**
** my $after = defined($tmp) ? $tmp->mtime : 0;**

** if ($before != $after) {**
** $modified++;**
** }**
}

sub help {
** print “Usage: $0 [-h] [-f] [-d] [-v] [-t] [-e]\n”;**
** print “\nOptions:\n”;**
** print " -h : show this help\n";**
** print " -f : force certificate renew\n";**
** print " -d : comma-separated list of domains,\n";**
** print " if not set read from config db pki[LetsEncryptDomains]\n";**
** print " -v : verbose\n";**
** print " -t : testing, enable staging CA\n";**
** print " -e : use given mail for registration\n";**
}

my %options=();
getopts(“hvtfd:e:”, %options);

# make sure certificate dir exists
if ( ! -d $crtdir) {
** mkdir($crtdir);**
}

if (defined $options{h}) {
** help();**
** exit 0;**
}

if (defined $options{v}) {
** $verbose = 1;**
}

if (defined $options{f}) {
** $force = 1;**
}

if (defined $options{t}) {
** $testing = 1;**

** # copy existing cert dir into a temporary one**
** system(“mv $crtdir $crtdir_backup”);**
}

if (defined $options{d}) {
** foreach (split(’,’,options{d})) {** ** push(@domains, _);**
** }**
}

if (defined $options{e}) {
** $mail = $options{e};**
} else {
** $mail = $cdb->get_prop(‘pki’,‘LetsEncryptMail’) || ‘’;**
}

# read domains from pki prop
if (!@domains) {
** my $le_domains = $cdb->get_prop(‘pki’,‘LetsEncryptDomains’) || ‘’;**
** if ($le_domains) {**
** foreach (split(’,’,le_domains)) {** ** push(@domains, _);**
** }**
** }**
}

if (!@domains) {
** exit 0;**
}

# Renew certificate for all domains
renew(@domains);

if ($modified > 0) {
** if ($verbose) {**
** print “Executing certificate-update event…\n”;**
** }**
** if(esmith::event::event_signal(‘certificate-update’) == 0) {**
** exit 1;**
** }**
}

exit 0;

Thanks in advance,

George

Hi again,

Based on the log file below and after I run the command for the renewal manually, I get this on the log file:

/var/log/letsencrypt/letsencrypt.log

I suppose it’s ok but it’s not get renewed due to the days of renewal haven’t arrived.

George

Also it looks like nethserver puts itself the autorenewal script on the cron.daily tasks

image

@taxiarxos

Hi

You’re right in that sense, NethServer usually handles all LetsEncrypt updates automatically, all without problems.

If there is an issue, it’s usually because of naming issues (DNS), or the folder or service (http) isn’t accessible from the internet.

My 2 cents
Andy

1 Like

Perfect!

Thank you so much Andy!