Auto-renewing your Let's Encrypt certificate with scheduled tasks


This blog post is out-of-date – we can now manage all of your Let’s Encrypt certificates automatically. See this help page for details.

Let’s Encrypt certificates are really useful for custom domains – you can get HTTPS working on your site for free. Their one downside is that the certificate only lasts for 90 days, so you need to remember to renew it.

The good news is that you can set up a scheduled task to do that all for you – no need to put anything in your calendar.

Once you’ve done the initial Let’s Encrypt setup to get the original certificate installed, and you’ve confirmed that it’s all working, go to the “Tasks” tab, and set up a daily scheduled task (not an always-on task) with this command:

cd ~/letsencrypt && ~/dehydrated/dehydrated --cron --domain www.yourdomain.com --out . --challenge http-01 && pa_install_webapp_letsencrypt_ssl.py www.yourdomain.com

Don’t forget to replace both instances of www.yourdomain.com with your actual website’s hostname.

Most days, this will fail with a message like this from the dehydrated script:

Valid till Nov 12 15:23:59 2018 GMT (Longer than 30 days). Skipping renew!

Followed by a message from the pa_install_webapp_letsencrypt_ssl.py saying something like this:

POST to set SSL details via API failed, got <Response [400]>:{"cert":["Certificate has not changed."]}

…but this is harmless. When your certificate really does have just 30 days to go, it will succeed and your certificate will be renewed, and the new one installed.

comments powered by Disqus