Hugo Part 3: Auto Renew Certificate

󰃭 2025-03-20

For servers that completely block port 80 for security requirements, we need to temporarily open port 80 when renewing Let’s Encrypt certificates. Here’s an automated solution using systemd timer and AWS CLI (Assume you already configured it).

Create the renewal script:

#!/bin/bash
# /usr/local/bin/certbot-renew-with-sg.sh

SG_ID="sg-CAFEBABE7355608"
RULE_DESCRIPTION="Temporary HTTP for LetsEncrypt"

add_sg_rule() {
    aws ec2 authorize-security-group-ingress \
        --group-id $SG_ID \
        --protocol tcp \
        --port 80 \
        --cidr 0.0.0.0/0 \
        --description "$RULE_DESCRIPTION"
    sleep 10
}

remove_sg_rule() {
    aws ec2 revoke-security-group-ingress \
        --group-id $SG_ID \
        --protocol tcp \
        --port 80 \
        --cidr 0.0.0.0/0
}

do_renew() {
    certbot renew
}

add_sg_rule

for i in {1..3}; do
    if do_renew; then
        break
    else
        if [ $i -eq 3 ]; then
            remove_sg_rule
            exit 1
        fi
        sleep 30
    fi
done

remove_sg_rule

Create systemd service:

# /etc/systemd/system/certbot-renew-sg.service
[Unit]
Description=Renew LetsEncrypt certificate with temporary SG rule
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/certbot-renew-with-sg.sh
User=root

[Install]
WantedBy=multi-user.target

Create systemd timer:

# /etc/systemd/system/certbot-renew-sg.timer
[Unit]
Description=Run certbot renewal with SG rule monthly

[Timer]
OnCalendar=*-*-01 03:00:00
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target

Enable the service:

chmod +x /usr/local/bin/certbot-renew-with-sg.sh
systemctl daemon-reload
systemctl enable certbot-renew-sg.timer
systemctl start certbot-renew-sg.timer

The timer will run around 3 AM on the first day of each month with a random delay of up to one hour. You can manually trigger the renewal process with:

systemctl start certbot-renew-sg.service

Tags: #Automation #HTTPS #Hugo