letsencrypt.org provides free SSL certificates using the ACME protocol. Because these certificates only are valid for 90 days. they have to be renewed. This renewal can be automated with a
cron(8) job.
All tutorials I have seen show an entry in the
crontab(5) table/configuration file for daily renewal requests. I find that kind of silly. Although you can a do a certificate renewal request whenever you want, the cert will only will be actually renewed if it is less than 30 days old.
On OpenBSD my entry for a cert renewal request with
acme-client(1) every 8 days looks like this:
Code:
# crontab -l
[snip]
# ------------------------------------------
# renew letsencrypt certificate every 8 days
# ------------------------------------------
#minute hour mday month wday [flags] command
# the following line with '8~52' always runs at 14:17 ..... So try something new
#8~52 14 */8 * * acme-client -v siralas.nl && rcctl reload relayd
31~59 14 */8 * * acme-client -v siralas.nl && rcctl reload relayd
Please note that I use
relayd(8) to provide to do the TLS de/encryption for the webserver. So when the certificate has been renewed,
relayd(8) has to be reloaded to use the new fresh certiticate.
An overview of the emails that are sent after the cronjob has run"
Code:
71 Feb 1 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
72 Feb 9 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
73 Feb 17 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
74 Feb 25 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
75 Mar 1 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
76 Mar 9 Cron Daemon (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
77 Mar 17 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
78 Mar 25 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
79 Apr 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
80 Apr 9 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
81 Apr 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
82 Apr 25 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
83 May 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
84 May 9 Cron Daemon (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
85 May 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
86 May 25 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
87 Jun 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
88 Jun 9 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
89 Jun 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
90 Saturday Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
Most of the time these emails are only about 780 chars long. Because of the verbose
-v option the email has a size of about 4K when the cert has been renewed.
At the first day of every month the 8 day cycle is restarted. Keep this in mind, If you would like to use a different cycle.
The contents of the April 1st mail:
Code:
Date: Fri, 1 Apr 2022 14:17:02 +0200 (CEST)
From: Cron Daemon <root@nedrag.siralas.nl>
To: root@nedrag.siralas.nl
Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 66 days
left
The following emails (editied for brevity):
Code:
Date: Sun, 17 Apr 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 50 days
left
Date: Mon, 25 Apr 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 42 days
left
Date: Sun, 1 May 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 36 days
left
The next mail of May 9 reports a renewal because 28 days is less than 30.
Code:
Date: Mon, 9 May 2022 14:17:01 +0200 (CEST)
From: Cron Daemon <root@nedrag.siralas.nl>
To: root@nedrag.siralas.nl
Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate renewable: 28
days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
[snip]
acme-client: order.status 3
acme-client:
https://acme-v02.api.letsencrypt.org/acme/cert/04a99a960ec3ea0f03a1a1713afe1
0918189: certificate
acme-client: /etc/ssl/siralas.nl.fullchain.pem: created
relayd(ok)
BTW The proper way to edit
crontab(5) is, having root powers, to use the command:
# crontab -e