Skip to content

Instantly share code, notes, and snippets.

@bash

bash/readme.md

Created January 9, 2024 19:22
Show Gist options
  • Save bash/adc49e7eca09be70b7df141fee0632b1 to your computer and use it in GitHub Desktop.
Save bash/adc49e7eca09be70b7df141fee0632b1 to your computer and use it in GitHub Desktop.
Download ZIP
Renew Let's Encrypt Certs with Certbot and Podman
Raw
readme.md

1. Configure Nginx

We first create an include file that we'll share between all the domains in /etc/nginx/conf.d/acme:

# Allow access to the ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge {
    allow all;
    alias /usr/share/nginx/html/.well-known/acme-challenge;
}

Next we include this config in the config for each domain:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    location / {
        return 301 https://example.com$request_uri;
    }

    include conf.d/acme;
}

2. Install & Configure Podman

Install podman using dnf install podman.

Then create a service for the certbot container in /etc/containers/systemd/certbot.container:

# Documentation: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html

[Unit]
Description=Runs certbot

[Service]
Type=oneshot
RemainAfterExit=true
ExecStopPost=/usr/bin/systemctl reload nginx

[Container]
Image=docker.io/certbot/certbot
Exec=renew
Volume=/etc/letsencrypt:/etc/letsencrypt
Volume=/var/lib/letsencrypt:/var/lib/letsencrypt
SecurityLabelDisable=true

Running systemctl daemon-reload will now automatically generate the corresponding certbot.service.

3. Create a timer

Create a timer that runs monthly by running systemctl edit --full certbot.timer and adding the following config:

[Unit]
Description=Renew certs montly

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target

Finally, enable the timer using systemctl enable certbot.timer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment