Automating Let’s Encrypt certificate renewal on non-standard servers

Wednesday the 27th of December, 2017

I run an IRC bouncer to allow me to maintain a single, consistent presence on IRC. I wanted to ensure that all my connections to it were encrypted.

Encrypting connections to your servers used to require complicated configuration and buying expensive SSL certificates. Thanks to Let’s Encrypt, encrypting web traffic is much easier, and entirely free!

Unfortunately, my IRC bouncer (ZNC) isn’t one of the servers that certbot (Let’s Encrypt’s official client) supports out of the box or for which there are third-party plugins, so I had to do some work to automate getting, installing, and updating the certificates. Since it involved some effort, I thought it was worth writing it up here.

How certbot works with non-standard servers

For a server using the ports certbot needs for renewal (80 or 443) and without a way to serve extra files, you have to stop the server, run certbot in “standalone” mode (where it runs its own web server for the certificate issuing process), put the certificate somewhere your server can find it, and restart the server process. And you have to do this every 60-90 days, because that’s how long Let’s Encrypt certificates are valid for.

The actual auto-renewal itself is pretty clearly documented: configure cron (or some other tool for scheduled tasks) to run certbot renew every night, and it’ll auto-renew any certificates due to expire in less than 30 days.

Automating certificate renewal

The trick is that certbot allows us to configure, in the renewal configuration file, pre-renewal, post-renewal, and certificate-deployment scripts for each domain we’re managing certificates for.

In my case, the pre-renewal script stops the IRC bouncer and the post-renewal script starts it again.

The deploy script has a slightly more complex job: it makes sure the renewed domain is the one it expects, and merges the various parts of the certificate into a single file in the format that my IRC bouncer expects.

Automating SSL certificate renewal with certbot is easy

I’m really pleased that I managed to encrypt my ZNC server’s traffic (for free!), and don’t have to worry about updating certificates by hand. Being able to add encryption so easily means that even services with minuscule user bases can benefit from the increased privacy it brings.

All the code for my ZNC setup is open and MIT licensed, so feel free to reuse it. If you have questions or suggestions, open an issue or pull request on GitHub, or let me know on Twitter.