Table of Contents
About Certbot
Certbot is a lifesaver when the user interface you use to renew certificates does not deliver anymore. Some servers of course come without any kind of control panel like cPanel of Virtualmin. In those cases, understanding the basic syntax of Certbot is a must. This guide gives some pointers but be warned even to the seasoned network administrator automated certificate renewals on a “non standard” server can be a complete nightmare.
Deployment Hooks
When renewing certificates one often has to do something else. One example is restart Unix services. For example, you might have a Kopano server and the Kopano server service might be “holding” the SSL in memory. The solution is to restart the Kopano services. However, how will you know Let’s Encrypt has renewed the certificate?
That’s where deployment hooks come in.
There are three types of hooks and they can be invoked using the command line or by putting them in a directory. The three hooks are:
- pre-hook
- deploy-hook
- post-hook
Directories:
- /etc/letsencrypt/renewal-hooks/pre
- /etc/letsencrypt/renewal-hooks/deploy
- /etc/letsencrypt/renewal-hooks/post
Add a script to the deploy directory to have it execute after successful renewal.
Reference: https://community.letsencrypt.org/t/run-script-after-each-automatic-renewal/118054/2
List all Certificates Certbot Knows About
This incredibly useful command will show you all the certificates on your system. What’s a bonus is if you need to delete certificates, then you use this command to list them first, and then the next command to delete them.
certbot certificates
Delete certificates
certbot delete --cert-name name.example.com-002
The problem after deleting certificates is that the directory will be incorrectly named. E.g. you’ll have /etc/letsencrypt/live/mail.example.com-001
You can manually go into that directory and archive and rename stuff, but be sure to also rename the configuration file.
Try to renew all Certificates Certbot Knows About
certbot renew
The CRON required to renew all certificates every two months
If all is well with your Certbox installation, you should automatically have the following CRON:
root@nms:/etc/cron.d# cat certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. # # Important Note! This cronjob will NOT be executed if you are # running systemd as your init system. If you are running systemd, # the cronjob.timer function takes precedence over this cronjob. For # more details, see the systemd.timer manpage, or use systemctl show # certbot.timer. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Use OpenSSL to test a certificate on mail ports
These examples are for port 993 IMAPS and port 465 SMTPS
Test IMAPS port 993:
openssl s_client -CApath /etc/ssl/certs/ -connect mail.example.com:993 -brief
Test SMTPS port 465:
openssl s_client -connect mail.example.co.za:465 -servername mail.example.co.za -showcerts | openssl x509 -noout -text
See also: https://www.liquidweb.com/kb/how-to-test-ssl-connection-using-openssl/
Force Renewal
Example command:
certbot renew --force-renewal --cert-name mail.example.com
To Delete A Certbot Certificates
certbot delete --cert-name domain.com
Older CRON Information
Although certificates should be renewed around every two months, it’s better to check much more often, e.g. daily, to see if they can be renewed. Unfortunately the guidance provided by the official manual doesn’t seem to address the frequency so you’ll find 100s of different answers all over the internet.
This article was updated 13 April 2021 to include an improved CRON job schedule.
First find out which certbot binary you use by doing this:
# which certbot /usr/bin/certbot
The reason is CRON works better when the full path is prepended to the binary.
Now do this:
crontab -e
Add this:
0 */12 * * * /usr/bin/certbot renew
Reference
- https://certbot.eff.org/docs/using.html
- https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
- https://docs.librenms.org/Support/SSL-Configuration/
- https://mhagemann.medium.com/correct-way-to-delete-a-certbot-ssl-certificate-e8ee123e6e01
- https://certbot.eff.org/docs/using.html?highlight=cron
- https://techmonger.github.io/49/certbot-auto-renew/