Renewing certificates

Set up auto-renewal of Let's encrypt certificates

If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux certbot comes with an auto-renewal job. But this job needs some fine-tuning to work properly.

Check the scheduler

On Debian and Ubuntu, the certbot package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file /lib/systemd/system/certbot.timer exists. The command systemctl list-timers should tell you, when certbot.timer run for the last time.

Systemd times last run

Create hook files

With the default settings, certbot cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called http-01 challenge. Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore certbot cannot renew. You must teach certbot how to stop RPort before the renewal and how to start RPort again.

Execute the below script on your rport sever from the root account to create the hooks.

cat << EOF > /etc/letsencrypt/renewal-hooks/pre/rport.sh
#!/bin/sh
echo "Stopping rportd for certificate renewal"|logger -t certbot
systemctl stop rportd
EOF
chmod +x /etc/letsencrypt/renewal-hooks/pre/rport.sh

cat << EOF > /etc/letsencrypt/renewal-hooks/post/rport.sh
#!/bin/sh
echo "Starting rportd after certificate renewal"|logger -t certbot
systemctl start rportd
EOF
chmod +x /etc/letsencrypt/renewal-hooks/post/rport.sh
bas

From now on, certbot will renew the certificates automatically.

Last updated