All the first Let's Encrypt certs for my websites from the LE private beta began expiring last week, so it was time to work through the renewal tooling. I wanted a script that:

  1. Would be okay to run daily, so there'd be plenty of retries if something went wrong,
  2. Wouldn't require extra config for me to forget about if I add a new site,
  3. Would only renew certificates expiring in the next few weeks.

The official Let's Encrypt client team is hard at work producing a great renew tool to handle all this, but it's not released yet. Of course I could use Caddy Server that just handles all this, but I have a lot invested in Nginx here.

So I wrote a short script and put it up in a Gist.

The script is designed to run daily, with a random start between 00:00 and 02:00 to protect against load spikes at Let's Encrypt's infrastructure. It doesn't do any real reporting, though, except to maintain /var/log/letsencrypt/renew.log as the most-recent failure if one fails.

It's written to handle Nginx with Upstart's service command. It's pretty modular though; you could make this operate any webserver, or use the webroot method quite easily. Feel free to use the OpenSSL SubjectAlternativeName processing code for whatever purposes you have.

Happy renewing!