Running dokku-letsencrypt auto-renewal as a Cronjob

Running dokku-letsencrypt auto-renewal as a Cronjob

With the new letsencrypt:auto-renew command added to my dokku-letsencrypt plugin, it is now super-easy to set up automatic certificate renewal on your host!

Here's a guide on how to configure cron to perform a daily check and auto-renewal for your Let's Encrypt certificates. Note: I'm using the dokku-recommended Ubuntu 14.04 LTS but you should be able to make this work on other distributions, too.

Update 2016-02-21: Thanks to a hint from Morris Jobke, the process was greatly simplified.

Update 2016-05-22: Thanks to a contribution from Joël Gähwiler, the cronjob installation has now been automated in dokku-letsencrypt and a cronjob can be installed simply by running dokku letsencrypt:cron-job --add.

Setting a crontab entry

Once we've set up dokku-letsencrypt to manually download a certificate for our app, we can add an entry for dokku letsencrypt:auto-renew to the crontab of the dokku user:

$ sudo -u dokku crontab -e

Be sure to include an updated MAILTO setting (so that possible failure messages will be sent to you) and PATH definition (so the dokku commands can be found) in addition to the cron entry itself:

MAILTO=your@email.tld
PATH=/bin:/usr/bin:/usr/local/bin

# m h  dom mon dow   command
  0 1    *   *   *  dokku letsencrypt:auto-renew &>> /var/log/dokku/letsencrypt.log

You can edit the cron schedule to renew at a different time. See man 5 crontab for an explanation of the crontab format.

Conclusion

We've now set up your server to perform daily renewal checks on your certificates and renew them once they have entered their renewal grace period. You can check your certificates, when they will expire and when they will next be renewed using the dokku letsencrypt:ls command.

By default, certificates will be renewed 30 days before they expire but you can set a different grace period using the dokku config:set --no-restart <myapp> DOKKU_LETSENCRYPT_GRACEPERIOD=<grace period in seconds> command.