Auto renewal of lets encrypt

Community Support
1

Hi

I’m new to Hestia (debian 11) and I’m still trying to understand my way around.

I have one domain, I have its certificates and using certbot I have the letsencrypt certificate files privkey.pem and fullchain.pem.

In 3 months, the certificate will expire and I’m trying to understand how the renewal works. I saw the following cron but is it really running every minute or daily at 1:52?

image
image906×377 17.6 KB

When will the renewal occur? in the last day? before that?

Will it update the letsencrypt files in this folder: /etc/letsencrypt/live/example.com/ or here /home/user/conf/web/example.com/ssl?

If the latter, how can I make sure that the files here /etc/letsencrypt/live/example.com/ are also updated automatically?

Thanks

2

Certbot checks for certificates that need to be renewed when called by the cron job. If none meet the criteria, nothing is done. The default renewal interval is sixty days, or 2/3 of the certificate’s 90 day lifespan.

The EFF has an FAQ for certbot that may interest you.

1 Like
3

Forget the “Every minute” it is to generate the code for corncobs…

  1. Every night at 1:52 a cronjobs runs that checks:
  • List all domains
  • Checks what has a valid ssl certificate
  • Check expiry date.

When expiry date is less then 30 days → It generates attempts to generate a new ssl

After xx failures is stops requisition for a new ssl…

1 Like
4

Thank you very much for your replies.

The renewal is not done using certbot so I understand correctly that it updates the files in this folder /home/user/conf/web/example.com/ssl and I need, using certbot, to update the files in this folder /etc/letsencrypt/live/example.com?

I ask because in order to create the certificate for the first time, I used dns challenge and the process took a while. Doing it once, is ok, I just wonder if I need to do it every 2 or so months and if so, to think about a way to automate it.

Thanks!

5

We use our own “software” that does check with http authentications…

If you want to use certbot you need to it manually…

6

I just want my node server to work :slight_smile: at the moment I do this in order for it to work as https
const options = {
key: fs.readFileSync(‘/etc/letsencrypt/live/example.com/privkey.pem’),
cert: fs.readFileSync(‘/etc/letsencrypt/live/example.com/fullchain.pem’),
};

I didn’t understand the difference between the above files which I got from certbot (dns challenge) and the original files that were created automatically when I created the web domain in Hestia.

The script you wrote here updates the above files as well?

7

/usr/local/hestia/data/users/user/ssl/domain.xxx it the location where we store the ssl certitficates

8

Right but I need other certificate files which are privkey.pem and fullchain.pem and they aren’t created as part of creating the web host/server by Hestia. The mentioned files are created only after I run certbot and they are created in a different location, under letsencrypt folder /etc/letsencrypt/live/example.com/

9
10

Thanks but not sure of the following, I have 4 files created by Hestia
example.com.ca
example.com.crt
example.com.key
example.com.pem

I need 2 files that certbot creates
privkey.pem
fullchain.pem

2 more files that are created with certbot but I don’t use
cert.pem
chain.pem

I guess example.com.key => privkey.pem?
what is fullchain.pem?

I think what confuses me is that I don’t understand the difference between the 4 files that are created by hestia and certbot and how they are relate to one another.

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.