# Renewing certificates If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux `certbot` comes with an auto-renewal job. But this job needs some fine-tuning to work properly. {% hint style="danger" %} Starting with RPort 0.9.0 the below hooks are deployed by default by the server installer script. **If you installed before August 2022 review and change your hooks manually.** {% endhint %} ### Check the scheduler On Debian and Ubuntu, the `certbot` package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file `/lib/systemd/system/certbot.timer` exists. The command `systemctl list-timers` should tell you, when `certbot.timer` run for the last time. ![Systemd times last run](https://1142160776-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MekeI9EovpQqbUTQSdM%2Fuploads%2F62XmjFarSkhDYlszel41%2Fcertbot-timer.png?alt=media\&token=1dd76531-9a0a-4819-b70a-f3d5d71932bd) ### Create hook files With the default settings, `certbot` cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called [http-01 challenge](https://letsencrypt.org/de/docs/challenge-types/#http-01-challenge). Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore `certbot` cannot renew. You must teach `certbot` how to stop RPort before the renewal and how to start RPort again. {% hint style="success" %} The below stop and start actions are only **executed if a renewal is due**. They are not executed everytime the certbot timer runs. By default cetbot renews 30 days before expiry. This means the hooks are executed every 60 days. {% endhint %} Execute the below script on your rport sever from the root account to create the hooks. ```bash cat << EOF > /etc/letsencrypt/renewal-hooks/pre/rport.sh #!/bin/sh echo "Stopping rportd for certificate renewal"|logger -t certbot systemctl stop rportd EOF chmod +x /etc/letsencrypt/renewal-hooks/pre/rport.sh cat << EOF > /etc/letsencrypt/renewal-hooks/post/rport.sh #!/bin/sh echo "Starting rportd after certificate renewal"|logger -t certbot systemctl start rportd EOF chmod +x /etc/letsencrypt/renewal-hooks/post/rport.sh bas ``` From now on, `certbot` will renew the certificates automatically. {% hint style="danger" %} You need the above hooks even if RPort is not running on port 80. Without the restart the renewed certificate is not loaded into the web server of rportd. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kb.openrport.io/digging-deeper/server-maintenance/renewing-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.