How to Automate SSL Certificate Renewal with Scripts

How to Automate SSL Certificate Renewal with Scripts

SSL certificates expire periodically and must be renewed to keep your Breeze server secure. Automating renewal prevents unexpected downtime from expired certificates.

Using Certbot with Auto-Renewal

Install Certbot and obtain your initial certificate:

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot creates a systemd timer for automatic renewal. Verify it is active:

sudo systemctl status certbot.timer
sudo certbot renew --dry-run

Custom Renewal Script

For more control, create a custom script at /usr/local/bin/renew-ssl.sh:

#!/bin/bash
LOG="/var/log/ssl-renew.log"
echo "$(date): Starting renewal" >> "$LOG"

certbot renew --quiet --deploy-hook "systemctl reload nginx" 2>&1 >> "$LOG"

if [ $? -eq 0 ]; then
    echo "$(date): Renewal successful" >> "$LOG"
else
    echo "$(date): Renewal failed" >> "$LOG"
    # Send alert email
    mail -s "SSL Renewal Failed on $(hostname)" admin@yourdomain.com < "$LOG"
fi

chmod +x /usr/local/bin/renew-ssl.sh

Scheduling with Cron

Run the renewal check twice daily:

sudo crontab -e
# Add this line:
0 3,15 * * * /usr/local/bin/renew-ssl.sh

Monitoring Certificate Expiry

Check certificate expiry dates with:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

• Renew at least 30 days before expiry
• Always test with --dry-run first
• Use deploy hooks to reload your web server after renewal