In the article, we will learn How to Automate SSL Certificate Renewal using Shell Script. SSL certificates are essential for securing websites and ensuring encrypted communication between servers and clients. Manually renewing SSL certificates can be time-consuming and prone to human error. Automating this process streamlines certificate management, reduces the risk of expiration-related outages, and ensures continuous security for your web infrastructure.
Table of Contents
Prerequisites
- AWS Account with Ubuntu 24.04 LTS EC2 Instance.
- Basic knowledge of Shell scripting.
Step #1:Install Certbot on Ubuntu
Update the system packages.
sudo apt update
Now let’s install the certbot. Certbot is a free and open-source tool for automating the process of obtaining and renewing SSL/TLS certificates.
sudo apt install certbot python3-certbot-nginx
Step #2:Create a file in Ubuntu
Open the terminal and use the nano command to create a new file.
nano ssl.sh
Step #2:Write Shell script for SSL Certificate Renewal
Add the script for for SSL Certificate Renewal.
#!/bin/bash
# Define domain and email variables
DOMAIN="practice-cert.tech"
EMAIL="[email protected]"
# Define the path to the Let's Encrypt script
LE_SCRIPT="/usr/bin/certbot"
# Define the path to the SSL certificate
CERTIFICATE_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
# Define the path to the certificate renewal log file
LOG_FILE="/var/log/certbot-renewal.log"
# Check if the certificate needs renewal
if ! $LE_SCRIPT renew --dry-run > $LOG_FILE 2>&1; then
# Certificate needs renewal, execute renewal
echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN needs renewal" >> $LOG_FILE
# Execute certificate renewal
$LE_SCRIPT renew --noninteractive --agree-tos --email $EMAIL >> $LOG_FILE 2>&1
# Check if renewal was successful
if [ $? -eq 0 ]; then
echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN successfully renewed"
>> $LOG_FILE
# Restart web server to apply changes
systemctl restart nginx
else
echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate renewal for $DOMAIN failed" >>
$LOG_FILE
fi
else
# Certificate doesn't need renewal
echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN is up to date, no renewal
needed" >> $LOG_FILE
fi
Save the file and exit the editor.
Explanation of the script:
The script starts with the shebang (#!/bin/bash
), which indicates that the script should be executed using the Bash shell.
Variable Definitions
DOMAIN
: Specifies the domain for which the SSL certificate is issued.EMAIL
: Email address for receiving notifications from Let’s Encrypt.LE_SCRIPT
: Path to the Certbot executable, which manages SSL certificate issuance and renewal.CERTIFICATE_PATH
: Path to the SSL certificate. This is where Certbot stores the full chain of certificates for the specified domain.LOG_FILE
: Path to the log file where renewal activities and outcomes are recorded.
Renewal Check
- This command checks if the certificate needs renewal by performing a dry run (
--dry-run
). A dry run simulates the renewal process without making any changes. The output is logged toLOG_FILE
. - The
if
statement checks the result of the dry run. If it fails (returns a non-zero exit status), the script proceeds to renew the certificate.
Certificate Renewal
- Logs that the certificate needs renewal.
- Executes the actual certificate renewal with the
renew
command.--noninteractive
: Runs the command in a non-interactive mode, suitable for automation.--agree-tos
: Automatically agrees to the Let’s Encrypt terms of service.--email $EMAIL
: Specifies the email address for notifications.
Post-Renewal Actions
- Checks the exit status (
$?
) of therenew
command.- If
0
(success), logs that the renewal was successful. - Restarts the Nginx web server (
systemctl restart nginx
) to apply the updated certificate. - If the renewal failed, logs the failure.
- If
No Renewal Needed
- If the dry run succeeds (the certificate doesn’t need renewal), logs that no renewal is necessary.
Step #3:Make file executable
Change the file permissions to make it executable using the chmod command.
chmod +x ssl.sh
Step #4:Run the script
Run the script by executing the following command.
sudo ./ssl.sh
Let’s verify if certificate is renewed or not by visiting the /var/log/certbot-renewal.log file.
sudo cat /var/log/certbot-renewal.log
It shows that the SSL certificate for “practice-cert.tech” is valid and doesn’t require renewal at this time.
Conclusion:
Automating SSL certificate renewal is essential for maintaining the security and reliability of websites. By implementing the script outlined in this article, website administrators can ensure that SSL certificates are always up to date without manual intervention. This not only enhances security but also minimizes the risk of service disruptions due to expired certificates.
Related Articles:
MongoDB Database Backup using Shell Script
Reference: