Let's Encrypt manual certificate renew for a static private key

letsencrypt_cron_wrapper.sh

#!/bin/bash

# Cron wrapper, call this directly from your cron. Depends on renew script (letsencrypt_manual_renew.sh).

ADMIN_EMAIL=hostmaster@server.tld

RENEWLOG=`/srv/data_server/certs/tools/letsencrypt_manual_renew.sh 2>&1`
rc=$?

if [[ $rc -ne 0 ]]; then
    echo "Renewal error."

    echo "$RENEWLOG" | /usr/bin/mail -s "Error: Could not renew TLS certificates" $ADMIN_EMAIL
else
    echo "Renewed"

    # Reload all daemons using this certificate
    /bin/systemctl reload nginx
    /bin/systemctl reload prosody
    /bin/systemctl reload postfix
    /bin/systemctl force-reload dovecot

    echo "Daemons reloaded"
fi

exit $rc

letsencrypt_manual_renew.sh

#!/bin/bash

# Renew script, called from cron wrapper script (letsencrypt_cron_wrapper.sh).

WEB_PATH=/srv/data_server/web
CERTS_PATH=/srv/data_server/certs

rm -r $CERTS_PATH/next 2> /dev/null
mkdir $CERTS_PATH/next

/usr/bin/letsencrypt certonly -a webroot --webroot-path=$WEB_PATH/default --csr=$CERTS_PATH/server.csr --cert-path=$CERTS_PATH/next/server.crt.only --chain-path=$CERTS_PATH/next/server.crt.chain --fullchain-path=$CERTS_PATH/next/server.crt.full --text --non-interactive
rc=$?

if [[ $rc -ne 0 ]]; then
    echo "Error: Could not renew"

    # Rollback (cleanup)
    rm -r $CERTS_PATH/next

    echo "Previous certificate is still active"
else
    echo "Success: Renewed"

    # Validate (consolidate)
    rm -r $CERTS_PATH/previous 2> /dev/null

    mv $CERTS_PATH/current $CERTS_PATH/previous
    mv $CERTS_PATH/next $CERTS_PATH/current

    # Revoke previous certificate
    /usr/bin/letsencrypt revoke --cert-path $CERTS_PATH/previous/server.crt.full --text --non-interactive

    if [[ $? -ne 0 ]]; then
        echo "Warning: Previous certificate could not be revoked"
    fi

    # Final cleanup
    rm -r $CERTS_PATH/previous

    echo "Renewed certificate now active"
fi

exit $rc