Lego: Best practice to automatically renew all certificates?

Created on 7 May 2019  路  1Comment  路  Source: go-acme/lego

I've got a host where I have multiple certificates all under the --path /etc/lego. Is there a best practice for renewing those all at once with a single command (similar to certbot-renew)?

The easiest would probably be write a small script to cycle through all the domains in that directory (or use lego list?) and the call certbot renew --path /etc/lego -d <domain> for each domain. Is there a recommended method to do this?

arecli question
Source
picture mdbraber

Most helpful comment

Today I'm using the follwing bash script:

#!/bin/sh

lego_bin=/opt/lego/lego
lego_path=/etc/lego
lego_certs="$lego_path/certificates"
account_email="[email protected]"
key_type=rsa4096
renew_days=30

reload=0

for domain in ` "$lego_bin" --path "$lego_path" list | grep "Certificate Name: " | awk '{print $3}' `; do
    original=$(date -r "$lego_certs/$domain.crt")

    "$lego_bin" \
          --path "$lego_path" \
          --email "$account_email" --accept-tos \
          --key-type "$key_type" \
          --http --http.port 127.0.0.1:4080 \
          --pem \
          --domains "$domain" \
          renew --days "$renew_days"

    actual=$(date -r "$lego_certs/$domain.crt")

    if [ "$original" != "$actual" ]; then
        reload=1
    fi
done

if [ $reload -eq 1 ]; then
    service nginx reload
fi

exit $?

Note that after renew any certificate my nginx is reloaded to use the renewed certificate.

I'm not using the renew-hook option because I want that nginx is reload once after renew all the certificates.

Also I'm using the following reverse proxy configuration on nginx to avoid creating files on my sites.

location /.well-known/acme-challenge/ {
    proxy_pass http://127.0.0.1:4080;
    proxy_set_header Host $host;
}
picture beppler on 12 Jul 2019
👍5

>All comments

Today I'm using the follwing bash script:

#!/bin/sh

lego_bin=/opt/lego/lego
lego_path=/etc/lego
lego_certs="$lego_path/certificates"
account_email="[email protected]"
key_type=rsa4096
renew_days=30

reload=0

for domain in ` "$lego_bin" --path "$lego_path" list | grep "Certificate Name: " | awk '{print $3}' `; do
    original=$(date -r "$lego_certs/$domain.crt")

    "$lego_bin" \
          --path "$lego_path" \
          --email "$account_email" --accept-tos \
          --key-type "$key_type" \
          --http --http.port 127.0.0.1:4080 \
          --pem \
          --domains "$domain" \
          renew --days "$renew_days"

    actual=$(date -r "$lego_certs/$domain.crt")

    if [ "$original" != "$actual" ]; then
        reload=1
    fi
done

if [ $reload -eq 1 ]; then
    service nginx reload
fi

exit $?

Note that after renew any certificate my nginx is reloaded to use the renewed certificate.

I'm not using the renew-hook option because I want that nginx is reload once after renew all the certificates.

Also I'm using the following reverse proxy configuration on nginx to avoid creating files on my sites.

location /.well-known/acme-challenge/ {
    proxy_pass http://127.0.0.1:4080;
    proxy_set_header Host $host;
}
beppler picture beppler on 12 Jul 2019
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

moomerman picture moomerman  路  4Comments
Kuchenm0nster picture Kuchenm0nster  路  4Comments
mhf-ir picture mhf-ir  路  3Comments
athanp picture athanp  路  3Comments
richtr picture richtr  路  5Comments