Automated Renewal Best Practices

1 min read SSL/TLS & Certificates

Automated Renewal Best Practices

Automated renewal prevents certificate expiration but requires proper configuration and monitoring. Implement multiple renewal attempts with notification systems.

Robust renewal setup:

# Cron job with error handling
cat > /etc/cron.daily/certbot-renew <<'EOF'
#!/bin/bash
LOG="/var/log/certbot-renewal.log"
EMAIL="[email protected]"

echo "=== Renewal attempt at $(date) ===" >> "$LOG"

if ! certbot renew >> "$LOG" 2>&1; then
    echo "Renewal failed" >> "$LOG"
    mail -s "Certificate renewal failed on $(hostname)" "$EMAIL" < "$LOG"
    exit 1
fi

# Reload services only if renewal occurred
if grep -q "Cert not yet due for renewal" "$LOG"; then
    echo "No renewal needed" >> "$LOG"
else
    echo "Reloading services" >> "$LOG"
    systemctl reload nginx
    systemctl reload postfix
fi
EOF

chmod +x /etc/cron.daily/certbot-renew

# Monitoring with hooks
certbot renew --deploy-hook "systemctl reload nginx" --post-hook "/usr/local/bin/notify-renewal.sh"