Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Let's Encrypt Auto-Renewal using the Webroot Plugin (Nginx)
#!/bin/bash
web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
le_path='/opt/letsencrypt'
exp_limit=30;
if [ ! -f $config_file ]; then
echo "[ERROR] config file does not exist: $config_file"
exit 1;
fi
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
echo "Renewal process finished for domain $domain"
exit 0;
fi
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = you@example.com
# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /usr/share/nginx/html
@lukepolo

This comment has been minimized.

Copy link

lukepolo commented Dec 25, 2015

Awesome thank you.

@ghost

This comment has been minimized.

Copy link

ghost commented Jan 1, 2016

Quick 'fix' to handle multiple domains/configfiles:

config_file="/usr/local/etc/le-renew-webroot.ini"

if [ "$1" == "" ]; then config_file="/usr/local/etc/le-renew-webroot.ini"
else
config_file="$1"
fi

If no commandline parameter is received, the script works as before with configfile /usr/local/etc/le-renew-webroot.ini
When the script is called with a parameter (i.e. /ur/local/sbin/le-renew-webroot /usr/local/etc/le-renew-webroot2.ini ) the configfile from the parameter is taken.

@anthonybruno

This comment has been minimized.

Copy link

anthonybruno commented Jan 5, 2016

👍 Awesome

@niksmac

This comment has been minimized.

Copy link

niksmac commented Jan 8, 2016

yeah it works 👍

@phanan

This comment has been minimized.

Copy link

phanan commented Jan 23, 2016

Note: The script will misbehave if there's an whitespace suffixing the domain name.

@ansemjo

This comment has been minimized.

Copy link

ansemjo commented Feb 3, 2016

I'm also using a purely space-seperated list of domains in my config file and the second sed on line 14 did not properly match and cut ..

I replaced .. | sed 's/(\s*)\|,.*$//' with .. | sed 's/[[:space:]].*$\|,.*$//' and now it properly cuts after the first domain.
Tested with GNU sed 4.2.2 and GNU bash 4.3.30(1)-releaseon Debian Jessie.

edit: nevermind .. apparently the letsencrypt-auto itself hiccups on a space-seperated list. I'll just use commas then ..

Thanks for the script and the tutorial!

@spiderneo

This comment has been minimized.

Copy link

spiderneo commented Feb 5, 2016

Very Nice code tahnks.
I did a fork for my purpose for managing multiple domains and certificates.
Instead of using 1 config file, i watch *.ini of a folder and i use your script to check domains and renews them if necessary.
This way it's easer to manage multiple domain on server.

Fork : https://gist.github.com/spiderneo/3f4b66c4282809e228f2

@dan-turner

This comment has been minimized.

Copy link

dan-turner commented Feb 9, 2016

Great script! You should really add set -e at the top though, without it, it is currently exiting with code 0 in the event of "Too many certificates already issued for: "

@tomprats

This comment has been minimized.

Copy link

tomprats commented Mar 10, 2016

For some reason I'm getting the following output immediately when running the script

/usr/local/sbin/le-renew-webroot: line 17: [: /etc/letsencrypt/live/www.leadersurgical.net: binary operator expected
unknown option /fullchain.pem
usage: x509 args
  -inform arg     - input format - default PEM (one of DER, NET or PEM)
  ... entire option list
Checking expiration date for www.leadersurgical.net ...
The certificate for www.leadersurgical.net  is about to expire soon. Starting webroot renewal script...
Bootstrapping dependencies for Debian-based OSes...
... Installing stuff
Reloading nginx
 * Reloading nginx configuration nginx                                                                     [ OK ]
Renewal process finished for domain www.leadersurgical.net

And it doesn't seem to have worked because every time I run it, It tells me it's about to expire soon

EDIT

Apparently I had a trailing space after my domain in the le-renew-webroot file. Next time I ran it, it said the cert is up to date, woo!

@technodrome

This comment has been minimized.

Copy link

technodrome commented Jun 7, 2016

Nice script, but I don't understand why you call it plural - domains. It gives the impression of checking multiple domains and running the command for each of them, which is not the case. Sed 4.2.2 returns first domain only and discards the rest.

In its current form it is not all that useful as you have to run the program for several domains individually, contrary to ambiguous plural name. Would be very nice to rework it to support array of domains taken from the config file and to run the procedure on all of them.

@czerasz

This comment has been minimized.

Copy link

czerasz commented Feb 3, 2018

Recently I discovered that I don't need this script anymore...
I simply skip the --renew-by-default flag and certbot will renew the certificate only 30 days before it expires. To restart my service I use the --post-hook flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.