# Renewing certificates If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux `certbot` comes with an auto-renewal job. But this job needs some fine-tuning to work properly. {% hint style="danger" %} Starting with RPort 0.9.0 the below hooks are deployed by default by the server installer script. **If you installed before August 2022 review and change your hooks manually.** {% endhint %} ### Check the scheduler On Debian and Ubuntu, the `certbot` package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file `/lib/systemd/system/certbot.timer` exists. The command `systemctl list-timers` should tell you, when `certbot.timer` run for the last time. ![Systemd times last run](https://1142160776-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MekeI9EovpQqbUTQSdM%2Fuploads%2F62XmjFarSkhDYlszel41%2Fcertbot-timer.png?alt=media\&token=1dd76531-9a0a-4819-b70a-f3d5d71932bd) ### Create hook files With the default settings, `certbot` cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called [http-01 challenge](https://letsencrypt.org/de/docs/challenge-types/#http-01-challenge). Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore `certbot` cannot renew. You must teach `certbot` how to stop RPort before the renewal and how to start RPort again. {% hint style="success" %} The below stop and start actions are only **executed if a renewal is due**. They are not executed everytime the certbot timer runs. By default cetbot renews 30 days before expiry. This means the hooks are executed every 60 days. {% endhint %} Execute the below script on your rport sever from the root account to create the hooks. ```bash cat << EOF > /etc/letsencrypt/renewal-hooks/pre/rport.sh #!/bin/sh echo "Stopping rportd for certificate renewal"|logger -t certbot systemctl stop rportd EOF chmod +x /etc/letsencrypt/renewal-hooks/pre/rport.sh cat << EOF > /etc/letsencrypt/renewal-hooks/post/rport.sh #!/bin/sh echo "Starting rportd after certificate renewal"|logger -t certbot systemctl start rportd EOF chmod +x /etc/letsencrypt/renewal-hooks/post/rport.sh bas ``` From now on, `certbot` will renew the certificates automatically. {% hint style="danger" %} You need the above hooks even if RPort is not running on port 80. Without the restart the renewed certificate is not loaded into the web server of rportd. {% endhint %}