Automate the Renewal of a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance

This is part of my Introduction to Installing Let’s Encrypt Certificates for WordPress on Amazon Web Services (AWS) tutorial.

In Renew a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance I went over the steps to renew your Let’s Encrypt SSL/TLS certificate, which will expire every 90 days. It’s good to know how to renew the certificate yourself, but once you do you can follow the below steps to automate that renewal process.

In this example I am automating the renewal of a Let’s Encrypt SSL/TLS certificate on a LAMP-stack virtual server (in this case an EC2 instance from Amazon Web Services) over Secure Shell (SSH) using the command line. I am using the macOS Terminal, which is Unix-based, but the commands will be the same regardless of what command-line interface you are using. I am also using the Cyberduck FTP client, but any FTP client should work.

Warning

  • When working with SSL/TLS certificates, be very careful. If you are planning on adding, renewing, or removing an SSL/TLS certificate, make sure you create a complete backup of your website before trying anything.
  • If you are working with AWS EC2 instances, always take a snapshot of the instance’s storage volume before you try any of these steps. If anything goes wrong, you can always stop the instance, detach the volume, and attach a new volume created from your snapshot.

Automate the Renewal of an SSL/TLS Certificate from Let’s Encrypt on Your EC2 Instance

  1. Open a text editor and paste the following text into it:
    #!/bin/bash
    sudo /opt/bitnami/ctlscript.sh stop apache
    sudo /usr/local/bin/lego --email="email@email.com" --domains="domain.com" --path="/etc/lego" renew
    sudo /opt/bitnami/ctlscript.sh start apache

    • Replace email@email.com with the email address where you want to receive updates about your certificate, including warnings when your certificate is about to expire.
    • Replace domain.com with the domain name for the Let’s Encrypt certificate that you are renewing. Include www. as needed.
  2. Save the text file as renew-certificate.sh.
  3. Connect to your EC2 instance the same way you did in WordPress on Amazon EC2: Connect to an Instance via SSH.
  4. Type sudo chown -R bitnami:bitnami /etc/lego and press Enter. This will chown the lego directory to bitnami so that we can access it.
  5. Now open your FTP client and use the steps in WordPress on Amazon EC2: Connect to an Instance via FTP.
  6. Use your FTP client to navigate to the lego directory at /etc/lego. In this case, /etc is at the top level.
  7. Upload renew-certificate.sh file into lego.
  8. Go back to Terminal and type chmod +x /etc/lego/renew-certificate.sh, then press Enter. The chmod +x command will make the renew-certificate file executable.
  9. Type sudo crontab -e to enter the crontab editor.
  10. After the commented-out section of the crontab, enter the following text: 0 0 1 * * /etc/lego/renew-certificate.sh 2> /dev/null.
  11. In macOS Terminal, press Command and O to write out the crontab file.
  12. Press Enter to save your changes.
  13. Press Command and X and to exit crontab.
  14. Type sudo chown -R root:root /etc/lego and press Enter to chown the lego directory back to the root user.
  15. Type stat -c %U /etc/lego and press Enter to confirm that your chown command changed ownership back to root.
  16. You are done. Type exit and press Enter to end the SSH session.