Automate let’s encrypt with systemd timer

A long long time ago I wrote a blog post about let’s encrypt automation with systemd timers that triggers letsencrypt:

Much changed this 2016. letsencrypt CLI is now called certbot, it can do auto renew via it’s own service and much more. I adjusted my setup slightly. I still have my own services:

# /etc/systemd/system/letsencrypt-renew@.timer
Description=run cert renew for %I every two month

# every two months?
OnCalendar=*-1/2-1 4:0:0


# /etc/systemd/system/letsencrypt-renew@.service
Description=renew certificates for %I

ExecStartPre=/bin/mkdir -p /var/lib/letsencrypt/.well-known
ExecStart=/usr/bin/certbot certonly \
  --webroot \
  --webroot-path=/var/lib/letsencrypt/ \
  --renew-by-default \
  --keep \
  --agree-tos \
  --email \
  --rsa-key-size 4096 \
  --non-interactive \
  --text \
  -d %I
ExecStartPost=/bin/systemctl reload-or-restart apache2


This pretty much looks like my old setup. Back in the days, every vhost in my webserver configuration had an entry to redirect let’s encrypt requests to another directory, outside of the docroot. Now I use a dedicated vhost for this:

<VirtualHost *:80 [2a01:4f8:171:1152::c]:80>
	DocumentRoot /home/
	<Directory /home/>
		Options -Indexes +SymLinksifOwnerMatch
		Require all granted
    AllowOverride All
	ErrorLog /home/
  LogLevel info
  CustomLog /home/ combined

this allows me to easily block requests to the vhost that are not coming from let’s encrypt servers! To enable this for a new domain, I simply need to do:

systemctl enable letsencrypt-renew@newdomain.tld.timer
This entry was posted in General, Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.