Automated TLS certificate rotation with certbot

[createyourpersonalaccount]

Hello,

I'm trying to think about automatic tls cert rotation with my nginx-unit server. I have read the instructions at https://unit.nginx.org/howto/certbot/ but I don't understand the "temporary route" for the webroot method. How is it temporary? In particular, how can I update my TLS cert without shutting down the server? Port 80 is already serving my litestar app. In this letsencrypt forums answer you can see how to use certbots --deploy-hook, so something like this is what I had in mind.

I was hoping I could use this hook without having to shut down my server. Is this possible? Is it a bad idea?

[javorszky]

Hi there,

Thanks for getting in touch! I'm going to tackle different parts of your questions in sections.

The temporary route

The word "temporary" there is sort of a misnomer. The reason it's temporary is because technically we only need this until certbot is happy that it can reach the token file on that route and issues the certificates. After that we could remove the routing to the .well-known path. We don't have to, because it's useful to keep it around when renewal and rollover comes around.

Certbot uses Let's Encrypt's HTTP-01 challenge here.

In order to do this without shutting down Unit:

1. query your current configuration from the Unit instance
2. add the route match rule for the token as described in the temporary route option (ie if the request comes into .well-known/acme-challenge/*, then share whatever is requested from a directory
3. run the certbot command for the webroot authentication passing the directory that the unit rule is sharing from
4. this should result in certificate files that you should bundle up per the Unit documentation
5. and then send the new configuration for your domain at domain uploading the certificates and the changed configuration
6. Unit should then reconfigure itself without you needing to shut down and restart unit

Using the --deploy-hook method

That builds on the above. The prerequisite is that the rule for the .well-known/acme-challenge/* route stays active as long as you want to keep the auto renewal up and running.

If you use the server where certbot is installed to renew certificates for a single domain, then you can put the script you're about to write in the /etc/letsencrypt/renewal-hooks/deploy/ directory, as the forum answer says.

That way when you hae a cron job running every 88 days or so (just a bit shorter than the 90 day renewal period), your script will execute. The cron job would be something like this command (you might need sudo here):

$ certbot certonly --webroot -w /var/www/www.example.com/ -d www.example.com

Then in your script you can do all of the steps that you would manually do:

• bundle certs
• upload the certs with a curl command
• update the configuration with a curl command

This should theoretically work. Let me know if you'd like more guidance, or have any other questions!

And again, thank you for using Unit 🙂

[createyourpersonalaccount]

Thank you for the response, it is very helpful. I'm postponing this for later because my certificate won't expire until November and I'm currently working on other aspects of the server, but I will get back to you with my results.

[ac000]

That way when you hae a cron job running every 88 days

Just to say it's better to run the job weekly, that way if it randomly fails for some reason, you won't end up with an expired certificate. (That's certainly what I do...)