Renewing Let's Encrypt Certs (Nginx)
All the first Let’s Encrypt certs for my websites from the LE private beta began expiring last week, so it was time to work through the renewal tooling. I wanted a script that:
- Would be okay to run daily, so there’d be plenty of retries if something went wrong,
- Wouldn’t require extra config for me to forget about if I add a new site,
- Would only renew certificates expiring in the next few weeks.
The official Let’s Encrypt client team is hard at work producing a great renew tool to handle all this, but it’s not released yet. Of course I could use Caddy Server that just handles all this, but I have a lot invested in Nginx here.
So I wrote a short script and put it up in a Gist.
The script is designed to run daily, with a random start between 00:00 and 02:00 to protect against load spikes at Let’s Encrypt’s infrastructure. It doesn’t do any real reporting, though, except to maintain
/var/log/letsencrypt/renew.log as the most-recent failure if one fails.
It’s written to handle Nginx with Upstart’s
service command. It’s pretty modular though; you could make this operate any webserver, or use the webroot method quite easily. Feel free to use the OpenSSL SubjectAlternativeName processing code for whatever purposes you have.