Skip to content

Instantly share code, notes, and snippets.

Last active April 26, 2024 04:13
Show Gist options
  • Save thisismitch/e1b603165523df66d5cc to your computer and use it in GitHub Desktop.
Save thisismitch/e1b603165523df66d5cc to your computer and use it in GitHub Desktop.
Let's Encrypt Auto-Renewal using the Webroot Plugin (Nginx)
if [ ! -f $config_file ]; then
echo "[ERROR] config file does not exist: $config_file"
exit 1;
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
echo "Renewal process finished for domain $domain"
exit 0;
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server =
# Uncomment and update to register with the specified e-mail address
email =
# Uncomment and update to generate certificates for the specified
# domains.
domains =,
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /usr/share/nginx/html
Copy link

technodrome commented Jun 7, 2016

Nice script, but I don't understand why you call it plural - domains. It gives the impression of checking multiple domains and running the command for each of them, which is not the case. Sed 4.2.2 returns first domain only and discards the rest.

In its current form it is not all that useful as you have to run the program for several domains individually, contrary to ambiguous plural name. Would be very nice to rework it to support array of domains taken from the config file and to run the procedure on all of them.

Copy link

czerasz commented Feb 3, 2018

Recently I discovered that I don't need this script anymore...
I simply skip the --renew-by-default flag and certbot will renew the certificate only 30 days before it expires. To restart my service I use the --post-hook flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment