Let's encrypt: Renew all your certificates using systemd

In my previous blog entry I said I have to handle the renew process for let's encrypt in an own article. So here it is.

All you need is let's encrypt, an apache webserver preconfigured to catch the domain you want to validate and systemd. And may also an application which needs to get a renewed certificate.

Renewal as systemd service

So first of all you write a little unit-file placed in /etc/systemd/system/ and name it letsencrypt.service. It does a simple 'oneshot'-Task to renew the certificates.

[Unit]
Description=Renews letsencrypt certificates  
After=network.target

[Service]
Type=oneshot  
WorkingDirectory=/opt/letsencrypt/  
ExecStart=/opt/letsencrypt/letsencrypt-auto renew  

The most important statements are the WorkingDirectory and the ExecStart statement.

The ExecStart just says that the renewal process should start and it renews your certificates automatically.

The WorkingDirectory is important because let's encrypt has a local environment in it's directory and it misses it's modules if you leave it somewhere else. So if you use another location for the client it's important for you to change to the correct directory.

Run the service every day

After getting your renewal process running you still need to run it periodically to prevent the expiration of your certificates.

You can use cron or let handle it by systemd itself, which is the way I prefer.

I have written an unit-file named letsencrypt.timer for that.

[Unit]
Description=letsencrypt timer

[Timer]
OnCalendar=daily  
Persistent=true  
Unit=letsencrypt.service

[Install]
WantedBy=basic.target  

You can change the OnCalendar statement. In this case the unit will run daily. So you are sure no certificate expires.

As alternative to OnCalendar you can also use OnUnitInactiveSec=1d to let it run once a day.

In the end you just need to activate the job using systemctl start letsencrypt.timer and may want to run it on startup so enable it using systemctl enable letsencrypt.timer.

So the renewal part is done. Your certificates will stay up to date.

Reload your certificates in applications

Right now your certificates are renewed, but you mostly need to reload them in your applications to get the changes effectively.

To do that you add a directory named letsencrypt.service.d

And there you can just drop all commands which should run after the renewal command is done.

For the webserver I use my apache.conf which contains the following two lines:

[Service]
ExecStartPost=/bin/systemctl reload apache2  

Place this config inside the /etc/systemd/system/letsencrypt.service.d-directory and your apache reloads its configs after the certs are renewed so your apache certificates stays in tune.

You can do the same thing with every application which needs certificates. Just replace the ExecStartPost statement with your command. The only thing you have to make sure is that your apache catches the challenge for the domain.

Conclusion

To test that your certificates get renewed and your apache reloads just try systemctl start letsencrypt.service and check your syslog or journald. You'll see it works fine. For testing the timer just check the log after your timer should have run.

So in the end systemd and let's encrypt makes your certification process so much simpler, your webpages more secure and it's all free.

Let's encrypt the whole web!


If you want to read a bit more about systemd unit files there are some great documentations.

About let's encrypt most stuff is from their official web page

×

Stay in touch

By follow me on Twitter, follow RSS or sign up for my newsletter.