Automating Let’s Encrypt certificate renewal on non-standard servers
I run an IRC bouncer to allow me to maintain a single, consistent presence on IRC. I wanted to ensure that all my connections to it were encrypted.
Encrypting connections to your servers used to require complicated configuration and buying expensive SSL certificates. Thanks to Let’s Encrypt, encrypting web traffic is much easier, and entirely free!
Unfortunately, my IRC bouncer (ZNC) isn’t one of the
certbot (Let’s Encrypt’s official client) supports out
or for which there are third-party
so I had to do some work to automate getting, installing, and updating
the certificates. Since it involved some effort, I thought it was worth
writing it up here.
certbot works with non-standard servers
For a server using the ports
certbot needs for renewal (80 or 443)
and without a way to serve extra files, you have to stop the server,
certbot in “standalone”
mode (where it
runs its own web server for the certificate issuing process), put the
certificate somewhere your server can find it, and restart the server
process. And you have to do this every 60-90 days, because that’s how
long Let’s Encrypt certificates are valid
The actual auto-renewal itself is pretty clearly
cron (or some other tool for scheduled tasks) to run
certbot renew every night, and it’ll auto-renew any certificates due
to expire in less than 30 days.
Automating certificate renewal
The trick is that
certbot allows us to configure, in the renewal configuration
file, pre-renewal, post-renewal, and certificate-deployment
scripts for each domain we’re managing certificates for.
In my case, the pre-renewal script stops the IRC bouncer and the post-renewal script starts it again.
The deploy script has a slightly more complex job: it makes sure the renewed domain is the one it expects, and merges the various parts of the certificate into a single file in the format that my IRC bouncer expects.
Automating SSL certificate renewal with
certbot is easy
I’m really pleased that I managed to encrypt my ZNC server’s traffic (for free!), and don’t have to worry about updating certificates by hand. Being able to add encryption so easily means that even services with minuscule user bases can benefit from the increased privacy it brings.
All the code for my ZNC setup is open and MIT licensed, so feel free to reuse it. If you have questions or suggestions, open an issue or pull request on GitHub, or let me know on Twitter.