Set Up SSL Certificate Auto-Renewal with Certbot on Ubuntu VPS

SSL Certificate Auto-Renewal Prerequisites

Before setting up SSL certificate auto-renewal on your Ubuntu VPS, verify that Certbot is installed and has successfully issued certificates for your domain. Check your existing certificates by running certbot certificates. You'll see output showing certificate paths and expiration dates.

Your domain must point to the VPS IP address through DNS. Certbot needs to reach your server during renewal to verify domain ownership.

Test this by accessing your site via HTTPS.

For VPS hosting customers running production websites, Hostperl VPS hosting provides the reliability and control needed for certificate management.

Install and Configure Certbot

Install Certbot and the appropriate plugin for your web server. For Apache:

sudo apt update
sudo apt install certbot python3-certbot-apache

For Nginx users:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Test Certbot's renewal process manually before automating it:

sudo certbot renew --dry-run

This dry run simulates renewal without actually requesting new certificates.

Success here means your renewal automation will work correctly.

Create the Auto-Renewal Cron Job

Configure automatic SSL certificate renewal using cron. Edit the root crontab:

sudo crontab -e

Add this line to run renewal checks twice daily:

0 12,0 * * * /usr/bin/certbot renew --quiet

This runs at midnight and noon. Certbot only renews certificates within 30 days of expiration, so frequent checks are safe.

For more comprehensive logging, use this enhanced version:

0 12,0 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx" >> /var/log/certbot-renewal.log 2>&1

The post-hook reloads your web server after successful renewal.

Replace "nginx" with "apache2" if you're running Apache.

Verify Renewal Automation

Check that your cron job is scheduled correctly:

sudo crontab -l

Monitor the renewal log file to track automation activity:

sudo tail -f /var/log/certbot-renewal.log

Test the complete renewal process manually once more:

sudo certbot renew --force-renewal

This forces renewal regardless of expiration dates.

Use sparingly since Let's Encrypt has rate limits.

Handle Multiple Domains and Subdomains

If your VPS hosts multiple domains, Certbot manages them all through the same renewal process. List all certificates:

sudo certbot certificates

Each certificate entry shows which domains it covers.

Wildcard certificates cover all subdomains automatically.

Add new domains to existing certificates:

sudo certbot --expand -d example.com -d www.example.com -d api.example.com

The expand flag adds domains without creating duplicate certificates.

Advanced Renewal Configuration

Create a custom renewal configuration in /etc/letsencrypt/renewal-hooks/:

sudo mkdir -p /etc/letsencrypt/renewal-hooks/post
sudo nano /etc/letsencrypt/renewal-hooks/post/reload-services.sh

Add service reload commands:

#!/bin/bash
systemctl reload nginx
systemctl restart postfix
echo "$(date): Services reloaded after certificate renewal" >> /var/log/ssl-renewal.log

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload-services.sh

This script runs after every successful renewal.

It reloads all services that use SSL certificates.

Monitor Certificate Expiration

Set up monitoring to catch renewal failures. Create a simple check script:

sudo nano /usr/local/bin/check-ssl-expiry.sh

Add this content:

#!/bin/bash
for cert in $(certbot certificates 2>/dev/null | grep "Certificate Name:" | cut -d: -f2 | tr -d ' '); do
    expiry=$(certbot certificates --cert-name $cert 2>/dev/null | grep "Expiry Date:" | cut -d: -f2- | tr -d ' ')
    echo "$cert: $expiry"
done

Run weekly via cron to email certificate status:

0 9 * * 1 /usr/local/bin/check-ssl-expiry.sh | mail -s "SSL Certificate Status" admin@yourdomain.com

Troubleshoot Common Renewal Issues

Check Certbot logs when renewal fails:

sudo tail -50 /var/log/letsencrypt/letsencrypt.log

Common issues include:

• DNS propagation delays - wait 24 hours after DNS changes
• Firewall blocking HTTP/HTTPS - verify ports 80 and 443 are open
• Web server configuration conflicts - test with nginx -t or apache2ctl configtest
• Rate limiting - space out renewal attempts

For hosting environments requiring robust infrastructure monitoring, the Advanced Server Monitoring Strategies guide covers comprehensive observability patterns.

Security Considerations for Production

Secure your renewal process with proper file permissions:

sudo chmod 600 /etc/letsencrypt/archive/*/privkey*.pem
sudo chown root:root /etc/letsencrypt/archive/*/privkey*.pem

Enable systemd service monitoring for renewal processes:

sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

This uses systemd instead of cron for more robust scheduling and logging.

Implement proper server hardening alongside certificate management. The Linux Server Hardening Checklist provides essential security controls for production environments.

Backup Certificate Configuration

Back up your entire Let's Encrypt configuration directory:

sudo tar -czf /backup/letsencrypt-$(date +%Y%m%d).tar.gz /etc/letsencrypt/

Store backups securely offsite.

Include this in your regular backup routine.

Document your certificate setup in your runbook.

Clear procedures save critical time during outages.

Frequently Asked Questions

How often should I run certificate renewal checks?

Run renewal checks twice daily. Certbot only renews certificates within 30 days of expiration.

Frequent checks ensure you never miss a renewal window.

What happens if renewal fails?

Certbot logs failures to /var/log/letsencrypt/letsencrypt.log. Set up monitoring to alert you of failures.

Most issues involve DNS propagation or temporary server unavailability.

Can I renew certificates manually if automation fails?

Yes, run sudo certbot renew manually at any time. For urgent renewals, use sudo certbot renew --force-renewal.

Avoid overusing this due to rate limits.

Do I need to restart my web server after renewal?

Usually just reload: sudo systemctl reload nginx or sudo systemctl reload apache2.

Full restarts aren't necessary unless you have configuration issues.

How long before expiration does Certbot renew certificates?

Certbot renews certificates when they have 30 days or less remaining.

This provides a safety buffer for any renewal issues.