Does Let's Encrypt renew automatically?Update wildcard certificate renewal script

solved last timeFailed to apply to install Let's Encrypt Error Message: AutoSSL Issue FailedAfter the DNS problem, this free SSL certificate has some problems to solve.

CWP Control PanelOriginally, it seemed that the Let's Encrypt certificate was automatically renewed before it expired. However, yesterday, Let's Encrypt did not automatically renew the certificate.SEOThe traffic dropped sharply, but fortunately it can be recovered after the solution is fixed.

What is Let's Encrypt?

Let's Encrypt is a free, automated and open Certificate Authority (CA) provided by the non-profit Internet Security Research Group (ISRG).

Simply put, HTTPS (SSL/TLS) can be enabled for our website for free with the help of a certificate issued by Let's Encrypt.

The issuance/renewal of Let's Encrypt free certificates is automated by scripts. Let's Encrypt officially recommends using the Certbot client to issue certificates.

The following is a tutorial on how to apply for a Let's Encrypt free SSL certificate▼

How to apply for Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial

How to apply for Let's Encrypt?Let's Encrypt SSL Certificate Principle & Installation Tutorial What is SSL?Chen Weiliang's previous article "What is the difference between http vs https? It is mentioned in the "Detailed Explanation of SSL Encryption Process".Except ecommerce sites have to buy premium...

What is a Let's Encrypt wildcard certificate?

Before wildcard certificates appeared, Let's Encrypt only supported 2 certificates:

1. Single Domain Certificate: The certificate contains only one host.
2. SAN certificate: Also known as domain name certificate, a certificate can include multiple hosts (Let's Encrypt limit is 20).

For individual users, since there are not too many hosts, there is no problem at all using SAN certificates, but for large companies there are some problems:

1. There are a lot of subdomains, and a new host may be required over time.
2. There are also a lot of registered domains.

For large enterprises, SAN certificates may not meet the needs, and all hosts are contained in one certificate, which cannot be satisfied with Let's Encrypt certificates (limit 20).

Wildcard certificates are certificates that can contain a wildcard:

• For example *.example.com, *.example.cn,Use * to automatically match all subdomains;
• Large enterprises can also use wildcard certificates, and one SSL certificate can place more hosts.

Difference between wildcard certificate and SAN certificate

1. Wildcard Certificates - Wildcard certificates are widely used to protect multiple subdomains under a unique fully qualified domain name.The benefit of this type of certificate is that not only does it make managing certificates easy, but it also helps you reduce your overhead costs.It protects your current and future subdomains at all times.
2. SAN certificates - SAN certificates (also known as multi-domain certificates) are used to secure multiple domains with a single certificate.They differ from wildcard certificates in that they support allunlimitedsubdomains. SAN only supports the fully qualified domain name entered in the certificate. SAN certificates are impressive because using them you can protect over 100 different fully qualified domain names with a single certificate; however, the amount of protection depends on the issuing certificate authority.

how to applyLet's EncryptWildcard certificate?

In order to implement wildcard certificates, Let's Encrypt has upgraded the implementation of the ACME protocol, and only the v2 protocol can support wildcard certificates.

That is to say, any client can apply for a wildcard certificate as long as it supports ACME v2.

Download Certbot-Auto

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --version

Let's Encrypt Wildcard Certificate Script

git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
cd certbot-letencrypt-wildcardcertificates-alydns-au
chmod 0777 au.sh

Let's Encrypt wildcard certificate expiration timing renewal script

The script here is a server compiled and installed by nginx or installed through Docker, proxy https through the host proxy or load balancing host, automatically back up the SSL certificate, and restart the Nginx proxy server.

• Note: The script actually uses the ./certbot-auto renew

#!/usr/bin/env bash

cmd="$HOME/certbot-auto" 
restartNginxCmd="docker restart ghost_nginx_1"
action="renew"
auth="$HOME/certbot/au.sh php aly add"
cleanup="$HOME/certbot/au.sh php aly clean"
deploy="cp -r /etc/letsencrypt/ /home/pi/dnmp/services/nginx/ssl/ && $restartNginxCmd"

$cmd $action \
--manual \
--preferred-challenges dns \
--deploy-hook \
"$deploy"\
--manual-auth-hook \
"$auth" \
--manual-cleanup-hook \
"$cleanup"

加入 crontab, edit file▼

/etc/crontab

#证书有效期<30天才会renew，所以crontab可以配置为1天或1周
0 0 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/pi/crontab.sh

CWP server configuration rebuild

Here are the steps for CWP to rebuild the nginx/apache server:

Step 1: On the left side of the CWP Control Panel, click WebServer Settings → Select WebServers ▼

Step 2:选择 Nginx & Varnish & Apache ▼

Step 3:Click the "Save & Rebuild Configuration" button at the bottom to save and rebuild the configuration.

• Refresh the website and you will see that the expiration date of the SSL certificate has been updated.

Extended reading:

Linux Crontab executes script task commands regularly & sets configuration file usage

Linux's built-in cron process can help us meet the needs of executing scheduled tasks. By using cron and shell scripts, there is no problem in regularly executing very complex task commands.What is Cron?What we often use is the crontab command, which is cron ta...