Automating letsencrypt certificate renewal with cron

Letsencrypt allows you to install free SSL certificates on your site. The certificates expire after 3 months and they need to be renewed to avoid certificate errors.

Depending on how you install letsencrypt, and once you configure the certificates on the site, you will want to setup automatic renewal so you don’t have to manually check and renew.

You can setup automated renewals using cron scheduling tool on linux and the following steps:

1. Sudo to root user:
sudo su –

2. Edit crontab file:
crontab -e

3. Add the following line:
00 9 * * 6 /etc/letsencrypt/.certbot-auto renew –no-random-sleep-on-renew –renew-hook ‘/sbin/service httpd restart’ > /var/log/cert_renew.log 2>&1

Let’s break down the entry to see what some of the elements mean:

00 9 * * 6
This is the schedule part, we are going to run every Saturday (day 6) at 9:00am

/etc/letsencrypt/.certbot-auto renew –no-random-sleep-on-renew
This executes the renew command and specifies that there should be no random sleep delay because of the non-interactive (no user input) mode

–renew-hook ‘/sbin/service httpd restart’
The renew hook allows running of a command upon certificate renewal, so only if the certificate or certificates were expired and had to be renewed

> /var/log/cert_renew.log 2>&1
Finally, we are redirecting the output of the command to the /var/log/cert_renew.log file.

You can also use a similar line for testing the command, the below uses the “–force-renewal” flag that will renew all certificates even if they are not expired yet:

51 21 * * * /etc/letsencrypt/.ertbot-auto renew –force-renewal –no-random-sleep-on-renew –renew-hook ‘/sbin/service httpd restart’ > /var/log/cert_renew.log 2>&1

Secure EC2 Apache server with Let’s Encrypt

Having an SSL secured website is no longer just a preference for sites handling sensitive data but is a necessity for all websites. There are many good reasons to secure your site even if only to improve the ranking in Google search.

Let’s Encrypt is a Certificate Authority organization providing free SSL certificates. The project is supported by many large technology organizations with the goal of securing all websites on the web.

The certificates are free and are valid for three months at a time.

A few assumptions before proceeding:

-You have installed the AMI Linux on the EC2 instance -You have installed httpd (Apache) using standard options -Your installation is done using the standard (out-of-the-box) ec2-user -You have a DNS entry to point your domain name to the EC2 instance

  1. Start apache if not already started sudo service httpd start
  2. Update all installed packages sudo yum update -y
  3. Install mod_ssl apache module sudo yum install -y mod24_ssl
  4. Bounce apache sudo service httpd restart The server will now work with HTTPS but using an untrusted certificate that will cause a warning to be displayed in the browser.
  5. Install git. Git is needed to download the letsencrypt code. sudo yum install git
  6. Clone the letsencrypt repository (download) git clone https://github.com/letsencrypt/letsencrypt.git
  7. Run the letsencrypt utility to generate and install certificate files. Note the following parameters: -d YOUR_DOMAIN – This is the domain name. You have to have DNS configured so your domain points to the EC2 instance using the public IP. --webroot-path – This path should match your DocumentRoot path in httpd.conf. By default it’s /var/www/html --email YOUR_EMAIL – This should be the email address you want to use for notifications related to letsencrypt --debug – Necessary due to experimental AMI (Amazon Linux) support. Full command: ~/letsencrypt/letsencrypt-auto certonly --renew-by-default -d YOUR_DOMAIN --authenticator webroot --webroot-path /var/www/html --email YOUR_EMAIL --agree-tos --debug
  8. A successful run should result in a message similar to the following. Note the path to the certificate files: /etc/letsencrypt/live/YOUR_DOMAIN
    The path will be needed to finish apache configuration.
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem. Your cert
   will expire on 2016-10-15. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to YOUR_EMAIL.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le..
  1. Edit the Apache SSL configuration file. The file came with the mod_ssl installation and is loaded automatically by apache. sudo vi /etc/httpd/conf.g/ssl.conf
  2. Update the following entries in the file
SSLProtocol-SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrderon
SSLCipherSuiteECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLCertificateFile/etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile/etc/letsencrypt/live/tools.vertisq.com/privkey.pem
SSLCertificateChainFile/etc/letsencrypt/live/tools.vertisq.com/chain.pem
  1. You should also redirect all traffic to HTTPS. To do so, edit the httpd.conf file sudo vi /etc/httpd/conf/httpd.conf
  2. Add the following section at the end of the file

SSL Redirect

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

  1. Bounce apache sudo service httpd restart

The site should now show as secured in the browser. Keep in mind that the certificate will expire in 3 months. I will share steps on how to configure automatic renewal in another post.

References

Mozilla SSL Configuration Generator

Amazon guide to installing LAMP Web Server on Amazon Linux

Amazon guide to enabling SSL


Amazon guide to installing LAMP Web Server on Amazon Linux

Amazon guide to enabling SSL