I’m handling all infra setup for tiendabonsai.net, this is a Wordpress website that I migrated from AWS LightSail to EC2 while ago, to know more about this process check this post.

When the website was running on AWS LightSail I configured HTTPS certificate using Let’s Encrypt. Apparently there is a maximum duration of 90 days per certificate, so after that you need to manually renew it unless you prepare an automatic script.

This is the email I received from expiry@letsencrypt.org:

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 30 Apr 21 14:23 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

*.tiendabonsai.net tiendabonsai.net

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can’t provide support by email.

For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names. If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

After doing an investigation and checking the official Bitnami documentation I found a cool solution to avoid having to renew the certificate every 90 days. This consists on creating an script and running it from crontab.

First I created the script:

sudo vim /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

I added the following content to it:

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="<my-personal-email>" --domains="tiendabonsai.net" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

(Note that this setup is for Apache)

I added execution permissions:

sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

Then, I edited the crontab configuration:

sudo crontab -e

And I added this line:

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

When I tried to execute the script I got an error:

Unmonitored apache Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd stopped 2021/04/10 15:15:02 Account is not registered. Use ‘run’ to register a new account. Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80 Monitored apache

To fix it I did the following:

First, I stopped Apache:

sudo /opt/bitnami/ctlscript.sh stop apache

Then, I executed lego run instruction as this:

sudo lego --tls --email="<my-personal-email>" --domains="tiendabonsai.net" --path="/opt/bitnami/letsencrypt" run

And finally, I started Apache:

sudo /opt/bitnami/ctlscript.sh start apache

With this configuration I won’t have to handle any other future renewal, I hope you find it useful.

Sources: