Shell Script to renew SSL Certificate

In the article, we will learn How to Automate SSL Certificate Renewal using Shell Script. SSL certificates are essential for securing websites and ensuring encrypted communication between servers and clients. Manually renewing SSL certificates can be time-consuming and prone to human error. Automating this process streamlines certificate management, reduces the risk of expiration-related outages, and ensures continuous security for your web infrastructure.

Prerequisites

  • AWS Account with Ubuntu 24.04 LTS EC2 Instance.
  • Basic knowledge of Shell scripting.

Step #1:Install Certbot on Ubuntu

Update the system packages.

sudo apt update
Shell Script to renew SSL Certificate 1

Now let’s install the certbot. Certbot is a free and open-source tool for automating the process of obtaining and renewing SSL/TLS certificates.

sudo apt install certbot python3-certbot-nginx
Shell Script to renew SSL Certificate 2

Step #2:Create a file in Ubuntu

Open the terminal and use the nano command to create a new file.

nano ssl.sh
Shell Script to renew SSL Certificate 3

Step #2:Write Shell script for SSL Certificate Renewal

Add the script for for SSL Certificate Renewal.

#!/bin/bash

# Define domain and email variables
DOMAIN="practice-cert.tech"
EMAIL="[email protected]"

# Define the path to the Let's Encrypt script
LE_SCRIPT="/usr/bin/certbot"

# Define the path to the SSL certificate
CERTIFICATE_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"

# Define the path to the certificate renewal log file
LOG_FILE="/var/log/certbot-renewal.log"

# Check if the certificate needs renewal
if ! $LE_SCRIPT renew --dry-run > $LOG_FILE 2>&1; then

# Certificate needs renewal, execute renewal
 echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN needs renewal" >> $LOG_FILE
 
 # Execute certificate renewal
 $LE_SCRIPT renew --noninteractive --agree-tos --email $EMAIL >> $LOG_FILE 2>&1
 
 # Check if renewal was successful
 if [ $? -eq 0 ]; then
 echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN successfully renewed"
>> $LOG_FILE

 # Restart web server to apply changes
 systemctl restart nginx
 else
 echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate renewal for $DOMAIN failed" >>
$LOG_FILE
 fi
else

 # Certificate doesn't need renewal
 echo "$(date +"%Y-%m-%d %H:%M:%S") - Certificate for $DOMAIN is up to date, no renewal 
needed" >> $LOG_FILE
fi
Shell Script to renew SSL Certificate 4

Save the file and exit the editor.

Explanation of the script:

The script starts with the shebang (#!/bin/bash), which indicates that the script should be executed using the Bash shell.

Variable Definitions

  • DOMAIN: Specifies the domain for which the SSL certificate is issued.
  • EMAIL: Email address for receiving notifications from Let’s Encrypt.
  • LE_SCRIPT: Path to the Certbot executable, which manages SSL certificate issuance and renewal.
  • CERTIFICATE_PATH: Path to the SSL certificate. This is where Certbot stores the full chain of certificates for the specified domain.
  • LOG_FILE: Path to the log file where renewal activities and outcomes are recorded.

Renewal Check

  • This command checks if the certificate needs renewal by performing a dry run (--dry-run). A dry run simulates the renewal process without making any changes. The output is logged to LOG_FILE.
  • The if statement checks the result of the dry run. If it fails (returns a non-zero exit status), the script proceeds to renew the certificate.

Certificate Renewal

  • Logs that the certificate needs renewal.
  • Executes the actual certificate renewal with the renew command.
    • --noninteractive: Runs the command in a non-interactive mode, suitable for automation.
    • --agree-tos: Automatically agrees to the Let’s Encrypt terms of service.
    • --email $EMAIL: Specifies the email address for notifications.

Post-Renewal Actions

  • Checks the exit status ($?) of the renew command.
    • If 0 (success), logs that the renewal was successful.
    • Restarts the Nginx web server (systemctl restart nginx) to apply the updated certificate.
    • If the renewal failed, logs the failure.

No Renewal Needed

  • If the dry run succeeds (the certificate doesn’t need renewal), logs that no renewal is necessary.

Step #3:Make file executable

Change the file permissions to make it executable using the chmod command.

chmod +x ssl.sh
Shell Script to renew SSL Certificate 5

Step #4:Run the script

Run the script by executing the following command.

sudo ./ssl.sh
Shell Script to renew SSL Certificate 6

Let’s verify if certificate is renewed or not by visiting the /var/log/certbot-renewal.log file.

sudo cat /var/log/certbot-renewal.log
Shell Script to renew SSL Certificate 7

It shows that the SSL certificate for “practice-cert.tech” is valid and doesn’t require renewal at this time.

Conclusion:

Automating SSL certificate renewal is essential for maintaining the security and reliability of websites. By implementing the script outlined in this article, website administrators can ensure that SSL certificates are always up to date without manual intervention. This not only enhances security but also minimizes the risk of service disruptions due to expired certificates.

Related Articles:

MongoDB Database Backup using Shell Script

Reference:

Bash reference manual

Prasad Hole

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap