Automatically renew Let’s Encrypt certificates using Certbot on Ubuntu 24.04

By /

Certbot is designed to automatically renew certificates before they expire. The process works as follows:

  1. Systemd Timer Triggers Certbot Renewal
  • Ubuntu 24.04 uses systemd to manage Certbot’s auto-renewal.
  • The certbot.timer is a systemd timer that triggers certbot.service twice daily to check for certificate renewal.

To verify the timer is active, run:

systemctl list-timers --all | grep certbot

Output:

Thu 2025-03-13 02:08:19 UTC 2h 41min Wed 2025-03-12 22:51:27 UTC     35min ago certbot.timer                  certbot.service

This means Certbot will attempt renewal at the scheduled time.

To check the timer status:

systemctl status certbot.timer
  1. Certbot Runs certbot renew

When the timer triggers, certbot.service runs:

certbot renew
  • Certbot checks all certificates in /etc/letsencrypt/live/ to see if any expire within 30 days.
  • If no renewal is needed, it exits without making changes.

To manually test renewal:

sudo certbot renew --dry-run
  1. Certbot Executes Renewal Hooks

Scripts in /etc/letsencrypt/renewal-hooks/post/

  • Certbot automatically executes any scripts found in /etc/letsencrypt/renewal-hooks/post/.
  • If you need Nginx to reload, create:
sudo nano /etc/letsencrypt/renewal-hooks/post/reload_nginx.sh

Add:

#!/bin/bash
systemctl reload nginx

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload_nginx.sh
  1. Certbot Logs the Renewal

Certbot logs renewal attempts in:

/var/log/letsencrypt/letsencrypt.log

To check the most recent renewal logs:

sudo tail -n 50 /var/log/letsencrypt/letsencrypt.log

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top