Let's encrypt: Renew all your certificates using systemd
In my previous blog entry I said I have to handle the renew process for let’s encrypt in an own article. So here it is.
All you need is let’s encrypt, an apache webserver preconfigured to catch the domain you want to validate and systemd. And may also an application which needs to get a renewed certificate.
Renewal as systemd service
So first of all you write a little unit-file placed in
/etc/systemd/system/ and name it
letsencrypt.service. It does a simple ‘oneshot’-Task to renew the certificates.
[Unit] Description=Renews letsencrypt certificates After=network.target [Service] Type=oneshot WorkingDirectory=/opt/letsencrypt/ ExecStart=/opt/letsencrypt/letsencrypt-auto renew
The most important statements are the
WorkingDirectory and the
ExecStart just says that the renewal process should start and it renews your certificates automatically.
WorkingDirectory is important because let’s encrypt has a local environment in it’s directory and it misses it’s modules if you leave it somewhere else. So if you use another location for the client it’s important for you to change to the correct directory.
Run the service every day
After getting your renewal process running you still need to run it periodically to prevent the expiration of your certificates.
You can use cron or let handle it by systemd itself, which is the way I prefer.
I have written an unit-file named
letsencrypt.timer for that.
[Unit] Description=letsencrypt timer [Timer] OnCalendar=daily Persistent=true Unit=letsencrypt.service [Install] WantedBy=basic.target
You can change the
OnCalendar statement. In this case the unit will run daily. So you are sure no certificate expires.
As alternative to
OnCalendar you can also use
OnUnitInactiveSec=1d to let it run once a day.
In the end you just need to activate the job using
systemctl start letsencrypt.timer and may want to run it on startup so enable it using
systemctl enable letsencrypt.timer.
So the renewal part is done. Your certificates will stay up to date.
Reload your certificates in applications
Right now your certificates are renewed, but you mostly need to reload them in your applications to get the changes effectively.
To do that you add a directory named
And there you can just drop all commands which should run after the renewal command is done.
For the webserver I use my
apache.conf which contains the following two lines:
[Service] ExecStartPost=/bin/systemctl reload apache2
Place this configuration inside the
/etc/systemd/system/letsencrypt.service.d-directory and your apache reloads its configuration after the certs are renewed so your apache certificates stays in tune.
You can do the same thing with every application which needs certificates. Just replace the
ExecStartPost statement with your command. The only thing you have to make sure is that your apache catches the challenge for the domain.
To test that your certificates get renewed and your apache reloads just try
systemctl start letsencrypt.service and check your syslog or journald. You’ll see it works fine. For testing the timer just check the log after your timer should have run.
So in the end systemd and let’s encrypt makes your certification process so much simpler, your webpages more secure and it’s all free.
Let’s encrypt the whole web!
If you want to read a bit more about systemd unit files there are some great documentations.
- official reference/man page
- Arch Wiki
- Digital Ocean article about unit files and systemd units
About let’s encrypt most stuff is from their official web page
- How the challenge works
- Get and renew certificates
Their official documentation which is a bit confusing by reading the first time