https://www.knightli.com/en/tags/ssl/ Recent content in SSL on KnightLi Blog Hugo -- gohugo.io en Fri, 03 Apr 2026 00:00:00 +0000 https://www.knightli.com/en/2026/04/03/certbot-auto-renew-nginx/ Fri, 03 Apr 2026 00:00:00 +0000 https://www.knightli.com/en/2026/04/03/certbot-auto-renew-nginx/ <p>Let&rsquo;s Encrypt certificates are valid for only 90 days, so production sites should always enable automatic renewal to avoid HTTPS downtime.</p> <p>If you already issued the certificate with Certbot, there are usually two things left:</p> <ol> <li>Configure a scheduled renewal task</li> <li>Verify the renewal workflow actually works</li> </ol> <h2 id="first-check-whether-certbot-already-created-a-scheduler">First, Check Whether Certbot Already Created a Scheduler </h2><p>Depending on your distro, Certbot may already install a scheduler (for example, a <code>systemd timer</code> or <code>/etc/cron.d/certbot</code>).</p> <p>You can check with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl list-timers <span class="p">|</span> grep certbot </span></span></code></pre></td></tr></table> </div> </div><p>If a valid timer already exists, you usually do not need an extra crontab entry.</p> <h2 id="add-a-crontab-job-manually-recommended-example">Add a Crontab Job Manually (Recommended Example) </h2><p>If you prefer managing renewal explicitly, edit root crontab:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo crontab -e </span></span></code></pre></td></tr></table> </div> </div><p>Add this line (runs daily at 03:00):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">0 3 * * * certbot renew --pre-hook &#34;systemctl stop nginx&#34; --post-hook &#34;systemctl start nginx&#34; &gt;&gt; /tmp/certbot-renew.log 2&gt;&amp;1 </span></span></code></pre></td></tr></table> </div> </div><p>What it means:</p> <ul> <li><code>0 3 * * *</code>: run at 03:00 every day</li> <li><code>certbot renew</code>: renew certificates that are close to expiration</li> <li><code>--pre-hook</code>: stop Nginx before renewal (common for standalone mode)</li> <li><code>--post-hook</code>: start Nginx after renewal</li> <li><code>&gt;&gt; /tmp/certbot-renew.log 2&gt;&amp;1</code>: append logs for troubleshooting</li> </ul> <h2 id="run-a-dry-test-before-relying-on-cron">Run a Dry Test Before Relying on Cron </h2><p>After adding the task, validate the full flow manually:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo certbot renew --dry-run </span></span></code></pre></td></tr></table> </div> </div><p>If dry-run succeeds, you can safely rely on the scheduled job.</p> <h2 id="common-notes">Common Notes </h2><ol> <li>If you use the <code>webroot</code> or <code>nginx</code> plugin, you often do not need to stop Nginx. In many setups, reloading Nginx after renewal is enough:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certbot renew --deploy-hook <span class="s2">&#34;systemctl reload nginx&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li> <p><code>certbot renew</code> only performs actual renewal near expiration, so running it daily is normal.</p> </li> <li> <p>For long-term maintenance, consider writing logs to a persistent path such as <code>/var/log/letsencrypt/</code>.</p> </li> </ol> <h2 id="summary">Summary </h2><p>Reliable certificate auto-renewal is not just about writing a command. The key is confirming the workflow can run end to end.</p> <p>A stable setup is usually just these three steps:</p> <ol> <li>Check whether system-level scheduling already exists</li> <li>Add cron if needed and keep logs</li> <li>Validate once with <code>--dry-run</code></li> </ol>