How to set auto-renewal of Let's Encrypt SSL?
- Thread starter simii
- Start date
- Tags certbot letsencrypt ssl
@Cold-Egg is right in that there is a /etc/cron.d/certbot file.
My /etc/cron.d/certbot file looks like this:
Now reading the help message, it says that the certbot.timer will take precedence if cerbot is run through systemd.
So I just edited /lib/systemd/system/certbot.service to add the '--deploy-hook "/usr/local/lsws/bin/lswsctrl restart"' option.
My /etc/cron.d/certbot file looks like this:
Code:
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days. --deploy-hook "/usr/local/lsws/bin/lswsctrl restart"
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "/usr/local/lsws/bin/lswsctrl restart"So I just edited /lib/systemd/system/certbot.service to add the '--deploy-hook "/usr/local/lsws/bin/lswsctrl restart"' option.
Hi @gilles and @simii,
Before systemd updates, we can mix up in use with "lswsctrl" and "systemctl" to restart lsws, but after the certain update, it messed up with systemctl. Like if you have a process start with lswsctrl start then systemctl restart/stop won't touch it.
Please run follow commands,
and use hook
that I mentioned earlier, and it should start working properly.
Best,
Eric
Before systemd updates, we can mix up in use with "lswsctrl" and "systemctl" to restart lsws, but after the certain update, it messed up with systemctl. Like if you have a process start with lswsctrl start then systemctl restart/stop won't touch it.
Please run follow commands,
Code:
/usr/local/lsws/bin/lswsctrl stop
systemctl stop lsws
systemctl start lsws
Code:
--deploy-hook 'systemctl restart lsws'Best,
Eric
Wow, glad I saw this. I thought OpenLiteSpeed would automatically handle the certbot customization since it does the Let's Encrypt setup.
To confirm, what is needed is to edit /usr/lib/systemd/system/certbot.service, changing the ExecStart line to this:
Correct?
@gilles, seems like if the web server has stopped, you have bigger problems. try-restart would keep it stopped. Is that what you want?
To confirm, what is needed is to edit /usr/lib/systemd/system/certbot.service, changing the ExecStart line to this:
Code:
ExecStart=/usr/bin/certbot -q renew --deploy-hook 'systemctl restart lsws'@gilles, seems like if the web server has stopped, you have bigger problems. try-restart would keep it stopped. Is that what you want?
Last edited:
Would be very helpful if someone can clarify whether a Let's Encrypt renewal always requires an OLS restart for the renewal to become properly effective. Nothing is mentioned in the documentation (e.g. https://openlitespeed.org/kb/lets-encrypt-ssl-on-openlitespeed/?seq_no=2)
The official certbot documentation (https://certbot.eff.org/docs/using.html?highlight=hooks#renewing-certificates) advises "You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory", which seems like an alternative option to editing the files mentioned in this thread.
The official certbot documentation (https://certbot.eff.org/docs/using.html?highlight=hooks#renewing-certificates) advises "You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory", which seems like an alternative option to editing the files mentioned in this thread.
the certificates should auto renewal according to the documentation but it does not for my install on a VM on GCP.
This is what I have in /etc/cron.d/certbot
Do I change the last line to this?
This is what I have in /etc/cron.d/certbot
Code:
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days. --deploy-hook "systemctl restart lsws"
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' &&>Do I change the last line to this?
Code:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"