Let's encrypt: Renew all your certificates using systemd
In my previous blog entry I said I have to handle the renew process for let’s encrypt in an own article. So here it is.
All you need is let’s encrypt, an apache webserver preconfigured to catch the domain you want to validate and systemd. And may also an application which needs to get a renewed certificate.
Renewal as systemd service
So first of all you write a little unit-file placed in /etc/systemd/system/
and name it letsencrypt.service
. It does a simple ‘oneshot’-Task to renew the certificates.
[Unit]
Description=Renews letsencrypt certificates
After=network.target
[Service]
Type=oneshot
WorkingDirectory=/opt/letsencrypt/
ExecStart=/opt/letsencrypt/letsencrypt-auto renew
The most important statements are the WorkingDirectory
and the ExecStart
statement.
The ExecStart
just says that the renewal process should start and it renews your certificates automatically.
The WorkingDirectory
is important because let’s encrypt has a local environment in it’s directory and it misses it’s modules if you leave it somewhere else. So if you use another location for the client it’s important for you to change to the correct directory.
Run the service every day
After getting your renewal process running you still need to run it periodically to prevent the expiration of your certificates.
You can use cron or let handle it by systemd itself, which is the way I prefer.
I have written an unit-file named letsencrypt.timer
for that.
[Unit]
Description=letsencrypt timer
[Timer]
OnCalendar=daily
Persistent=true
Unit=letsencrypt.service
[Install]
WantedBy=basic.target
You can change the OnCalendar
statement. In this case the unit will run daily. So you are sure no certificate expires.
As alternative to OnCalendar
you can also use OnUnitInactiveSec=1d
to let it run once a day.
In the end you just need to activate the job using systemctl start letsencrypt.timer
and may want to run it on startup so enable it using systemctl enable letsencrypt.timer
.
So the renewal part is done. Your certificates will stay up to date.
Reload your certificates in applications
Right now your certificates are renewed, but you mostly need to reload them in your applications to get the changes effectively.
To do that you add a directory named letsencrypt.service.d
And there you can just drop all commands which should run after the renewal command is done.
For the webserver I use my apache.conf
which contains the following two lines:
[Service]
ExecStartPost=/bin/systemctl reload apache2
Place this configuration inside the /etc/systemd/system/letsencrypt.service.d
-directory and your apache reloads its configuration after the certs are renewed so your apache certificates stays in tune.
You can do the same thing with every application which needs certificates. Just replace the ExecStartPost
statement with your command. The only thing you have to make sure is that your apache catches the challenge for the domain.
Conclusion
To test that your certificates get renewed and your apache reloads just try systemctl start letsencrypt.service
and check your syslog or journald. You’ll see it works fine. For testing the timer just check the log after your timer should have run.
So in the end systemd and let’s encrypt makes your certification process so much simpler, your webpages more secure and it’s all free.
Let’s encrypt the whole web!
If you want to read a bit more about systemd unit files there are some great documentations.
- official reference/man page
- Arch Wiki
- Digital Ocean article about unit files and systemd units
About let’s encrypt most stuff is from their official web page
- How the challenge works
- Get and renew certificates
Their official documentation which is a bit confusing by reading the first time