How to setup cron job for Let’s Encrypt SSL renewal

Lets encrypt is great tool. It provides free SSL certificate but this certificate comes with validity of 90 days  and to make sure you do not run out of SSL certificate validity, you need to renew SSL certificate every 90 days.

As per this post from Lets Encrypt forum, it will process renewal request 30 days prior to date of expiration so it make sense to schedule a cron  job which will run every month to ensure all certificates are valid all the time.

Open cronjob file using following command

sudo crontab -e

When you run this command for the first time, it will ask you to choose editor

no crontab for root - using an empty one

Select an editor. To change later, run 'select-editor'.
1. /bin/ed
2. /bin/nano <---- easiest
3. /usr/bin/code
4. /usr/bin/vim.tiny

Choose 1-4 [2]:

You can choose any editor that you are comfortable with. I chose second option. It will open file having following content.

#Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command

add following line at the end and save it. (This will run cron job @ 00:00 hr on 1st of every month)

0 * 1 * * /usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"

That’s it, you are all set.

You can use cron job tool https://crontab.guru/ to cross check the schedule

cron schedule expressions

There are 5 elements in schedule

  • 1st * represents minute
  • 2nd * represent hour
  • 3rd * represent day of the month
  • 4th star represent month
  • 5th star represent day of the week.

e.g.

When Syntax
Every day at 9 AM 0 9 * * *
Every day at 9:05 AM 5 9 * * *
Every day at 07:00 PM/ 19:00 0 19 * * *
Only on monday @ 19:00 0 19 * * 1
Only on 1st of every month @ 19:00 0 19  1 * *

For more permutations and combinations, please refer to https://crontab.guru/

Verification.

To check if this is working, you can change schedule as below (It will run cronjob every minute.

* * * * * /usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"

 

How to check cron job logs

sudo grep CRON /var/log/syslog

This will show the logs as below

May 1 11:56:01 ubuntu-512mb-server CRON[8519]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:57:01 ubuntu-512mb-server CRON[8594]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:58:01 ubuntu-512mb-server CRON[8616]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:59:01 ubuntu-512mb-server CRON[8624]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 12:00:01 ubuntu-512mb-server CRON[8631]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")

If you are running into any issues, please do let me know