Let's Encrypt Auto Renewal

Status
Not open for further replies.

dcitelecom

Member
Oct 20, 2021
139
3
18
61
I installed Let's Encrypt with the dehydrated script and was under the impression that it would somehow auto-renew but I always have to renew manually. Is there a way to set it up so that it renews the SSL certificate automatically without any intervention? When I do it manually, I always have to answer the domain Name & email address questions and I don't know how to do this in cron job
 

Kenny Riley

Active Member
Nov 1, 2017
243
39
28
37
If you're using a wildcard cert, then no, you have to manually re-run the script to renew the cert.
 

whut

Member
Dec 23, 2022
228
22
18
You could setup auto renewal by using certbot or with acme. Or you could edit the letsencrypt shell script to hardcode your domain name(s) and email address foregoing the user input of the shell script. Certbot and acme have auto renew and auto renew dry run. These will cost you more time to install, run and test and I would rather use what is already baked into the project in this regard.

The letsencrypt shell script hard code would be a very simple change. But then you would need to create the cronjob to run every 2-3 months, depending on how close to the expiry you want to get to. And ensure it is working as expiry time comes. With editing you would want to keep in mind these edits when you do a git pull on your /usr/src/fusionpbx-install.sh directory and sub directories.

I prefer to set a reminder to manually update ssl certs as I want to watch carefully for any issues and the possibility of requiring the acme challenge to be copied to where you purchase your domain names. You have a few options to concider and weigh the value add and work required of each.
 
Jan 9, 2018
152
16
18
54
If you're using a wildcard cert, then no, you have to manually re-run the script to renew the cert.
Actually, that's not quite true, I have a wildcard cert, using Dehydrated and it auto-renews. The key is that your DNS provider needs to allow an API to add/remove records and then look for a script to do this for your provider (or write one for yourself based on other providers). Then in the Dehydrated wizard, you point to this script at the right place. I'm not saying it's super easy, but it is possible. For us, it was worth the effort.
 
  • Like
Reactions: amontoya20000
Jan 9, 2018
152
16
18
54
The default Dehydrated script should work as-is (non-wildcard) to automatically create the cron job. It runs daily and checks to see if it's time to renew. At about day 60, it will trigger the renewal. While under root, look in crontab -e. Dehydrated should have created an entry in there.

@whut, regarding renewal, manual is, of course, an option, but the nice thing about Lets Encrypt is that if it gets within about 20 days of expiration and you haven't renewed, they will email you reminders. Effectively, that means that if your auto-renewal is working, you won't get those emails. And if it breaks for some reason, you will get an alert in time to fix the problem before it impacts you.
 

whut

Member
Dec 23, 2022
228
22
18
You are correct @Jonathan Black. You have provided valuable feedback. I forget about the renewal emails from lets encrypt even though I received these emails just last week for a group of domains.

One of the reasons I choose manual is because my firewall rules are strict enough that they block cert install/renew. I have not yet researched allow rules for the certs process. Perhaps tet something else to keep in mind @dcitelecom with automating. You can also write scripts to evaluate all domain ssl expiry and status, and there are some gui tools out there to help with this too.
 
Jan 9, 2018
152
16
18
54
You are correct @Jonathan Black. You have provided valuable feedback. I forget about the renewal emails from lets encrypt even though I received these emails just last week for a group of domains.

One of the reasons I choose manual is because my firewall rules are strict enough that they block cert install/renew. I have not yet researched allow rules for the certs process. Perhaps tet something else to keep in mind @dcitelecom with automating. You can also write scripts to evaluate all domain ssl expiry and status, and there are some gui tools out there to help with this too.
If your firewall is blocking the domain verification process, that might be resolved by the API script I mentioned above. Basically, it takes the verification code and inserts it into the DNS record on your DNS provider. You have to use this method with wildcard certs, but you have the option to use DNS record verification on any cert.
 

whut

Member
Dec 23, 2022
228
22
18
unfortunately not all dns providers allow api script. :mad::eek:

but very good if they do!
 

hfoster

Active Member
Jan 28, 2019
684
81
28
34
If your DNS provider doesn't support it, you can always do what I did and go for individual domains. You'll have to get even more creative for the FreeSWITCH TLS cert though, I don't think it's possible to have more than one:

template.conf is the base config for each domains virtual server.

Bash:
#!/bin/bash
# Script to generate domain configurations for nginx
set -o errexit;

function generatepbx {
    DOMAIN=$1
    certbot certonly --webroot -w /var/www/letsencrypt -d $DOMAIN
    cp /etc/nginx/sites-available/template.conf /etc/nginx/sites-available/$DOMAIN
    sed -i "s/template.example.com/$DOMAIN/g" /etc/nginx/sites-available/$DOMAIN
    ln -s /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/$DOMAIN
}

if [ -z "$1" ]; then
  echo -e "Domain name is required.\n"
  exit 1
fi

for var in "$@"
do
  generatepbx $var
done
 
Jan 9, 2018
152
16
18
54
If your DNS provider doesn't support it, you can always do what I did and go for individual domains. You'll have to get even more creative for the FreeSWITCH TLS cert though, I don't think it's possible to have more than one:

template.conf is the base config for each domains virtual server.

Bash:
#!/bin/bash
# Script to generate domain configurations for nginx
set -o errexit;

function generatepbx {
    DOMAIN=$1
    certbot certonly --webroot -w /var/www/letsencrypt -d $DOMAIN
    cp /etc/nginx/sites-available/template.conf /etc/nginx/sites-available/$DOMAIN
    sed -i "s/template.example.com/$DOMAIN/g" /etc/nginx/sites-available/$DOMAIN
    ln -s /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/$DOMAIN
}

if [ -z "$1" ]; then
  echo -e "Domain name is required.\n"
  exit 1
fi

for var in "$@"
do
  generatepbx $var
done
I don't know how typical my dehydrated install is since I've modified it for the API integration, but I believe there is a domains.txt in the /etc/dehydrated folder that is used to tell dehydrated which domains to request. I wonder if you could tweak that script to just add those domains to that file and then request one updated single cert with multiple SANs (Subject Alternate Name)? I have several SANs in with the wildcard in mine and it does work. But I'm not sure if there is a limit to the number of SANs per cert for Lets Encrypt.

My domains.txt looks like:
Code:
*.sampledomain.com sampledomain.com sampledomain2.com > sampledomain.com

If it would work (minus the wildcard), that would solve the TLS issue with FreeSWITCH.
 
Status
Not open for further replies.