Zaher Ghaibeh
PHP Backend developer
I've experience in a few PHP Frameworks, such as Laravel, Lumen and Slim (The last two are used for building Microservices/API services).
Renew let's encrypt SSL via systemd
Published at Friday, August 11, 2017 , Categorized under: Linux, Nginx

I'll assume that you are using Ubuntu 16.04 and nginx on your server, as I'll talk about installing  Certbot and then how to setup the renew process.

To install Certbot (the simple way) you need to update your system and run the following commands:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

After installing Certbot you will need to run the following command which will edit your nginx configuration files and do the magic

$ sudo certbot --nginx

And to renew your certificate you should run the following command ( which is the command that we will automate )

$ sudo certbot renew

Now that we have everything up and running we will need to configure Systemd to automate the renew process, the following is copied over from Sheogorath's Blog post  but modified a bit to work with Certbot instead of letsencrypt  binary.

1- Create the renewal as systemd service:

$ sudo nano /etc/systemd/system/letsencrypt.service

Inside the file add the following:

Unit
Description=Renews letsencrypt certificates  
After=network.target

Service
Type=oneshot  
WorkingDirectory=/etc/letsencrypt/  
ExecStart=/usr/bin/certbot renew

Am not going to explain everything as the mentioned post explain all the items in details.

2- Run the service every day:

$ sudo nano /etc/systemd/system/letsencrypt.timer

Inside the file add the following:

Unit
Description=letsencrypt timer

Timer
OnCalendar=daily  
Persistent=true  
Unit=letsencrypt.service

Install
WantedBy=basic.target

To enable the timer service, we run the following command:

$ sudo systemctl enable letsencrypt.timer

Finally, to run it, we run the following command:

$ sudo systemctl start letsencrypt.timer

3- Reload nginx configuration:

Even though I think the new Certbot will reload nginx automatically, we won't lose anything from running a reload after each renew, to do so we should create a folder called letsencrypt.service.d inside /etc/systemd/system and add a small config file to it like the following commands:

$ sudo mkdir /etc/systemd/system/letsencrypt.service.d
$ sudo nano /etc/systemd/system/letsencrypt.service.d/nginx.conf

Then add the following inside that nginx.conf file:

Service
ExecStartPost=/bin/systemctl reload nginx

You can test everything by running the command:

$ sudo systemctl start letsencrypt.service

and that's it, now the renew will run every day and try to renew the certificate before it expires.