How to add cron job entry for acme.sh

See all GNU/Linux related FAQ
Recently, I had a learning experience with cron jobs and acme.sh. acme.sh is an excellent tool that simplifies the management of Let’s Encrypt TLS (SSL) certificates. It makes obtaining and renewing these essential security certificates for your web server easier.
Advertisement

Recently, I moved my server from Linode to AWS, which was a new environment for me. Initially, everything appeared to be working correctly, and I assumed everything was running smoothly. However, I forgot to migrate the cron job that acme.sh uses to renew the certificate automatically.

This oversight caused my Let’s Encrypt certificates to expire, resulting in security warnings and potential disruptions for visitors to my website. Opps!

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux or Unix terminal
OS compatibility Web Server
Est. reading time 3 minutes

How to add cron job entry for acme.sh

To install the cron job to renew certs you need to add the following command:
# acme.sh --install-cronjob
Outputs:

[Fri May  3 05:57:22 UTC 2024] Installing cron job
no crontab for root
no crontab for root

Want to uninstall the cron job? Try
# acme.sh --uninstall-cronjob
Verify it:
# crontab -l
Now, all I need to do is to force a renewal of all expired TLS certificates. The manual command for each domain is as follows:
# acme.sh -r -d 'cyberciti.biz' -d '*.cyberciti.biz' --keylength ec-384 --ecc -f
# acme.sh -r -d 'cyberciti.com' -d '*.cyberciti.com' --keylength ec-384 --ecc -f

But wait, there is an easy way. You can run the cron job to renew all the TLS (SSL) certs as follows:
# acme.sh --cron
All done. Verify TLS/SSL renew dates. Type:
# acme.sh --list
Outputs:

Main_Domain    KeyLength  SAN_Domains      CA               Created               Renew
cyberciti.biz  "ec-384"   *.cyberciti.biz  LetsEncrypt.org  2024-05-03T05:53:55Z  2024-07-01T05:53:55Z
cyberciti.com  "ec-384"   *.cyberciti.com  LetsEncrypt.org  2024-05-03T05:39:49Z  2024-07-01T05:39:49Z

I also got the email notification:

How to add cron job entry for acme.sh and get email

{Click to enlarge}

Perfect.

What’s a cron job?

Cron is a task scheduler built into most Linux distros and Unix-based systems. It is a utility that enables you to define commands that run automatically at specific times or intervals. In the case of acme.sh, the cron job typically runs daily to check for expiring certificates and trigger a renewal process if necessary. So, no cron entry means no renewal. As I wrote earlier, I forgot to migrate the cron job, which disabled acme.sh’s automatic renewal functionality. This is a cautionary tale for anyone who manages servers or web applications that rely on Let’s Encrypt certificates.Thankfully, fixing the issue was relatively straightforward. This is not the first time I messed up. I have long history of messing around which is I believe human nature:

Wrapping up and the takeaway

This tiny experience served as a good reminder of the importance of cron jobs, especially when managing TLS/SSL certificates with acme.sh:

  1. When migrating Linux or Unix servers, transferring all essential cron jobs, including those for acme.sh is necessary for TLS renewals, to the new cloud environment.
  2. How do I avoid this in the future? Automate. I’ve now updated my Ansible playbook to dump old cron jobs and install them on a new server.
  3. Documentation and sharing experience is the key. Hence, this tiny post. It helps and serves as a warning to fellow developers and sysadmin folks.

Now that the cron job was in place, acme.sh will automatically renew my TLS /SSL certificates. Finally, the website was accessible again, and Cloudflare was no longer displaying an error message stating that the origin server was down. This was due to my enabling of TLS verification:

CF HealthCheck email

Health check status changed {Click to enlarge}

You can turn ON or OFF TLS certificate verification in Cloudflare.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

1 comment… add one
  • Anonymous May 3, 2024 @ 10:35

    What are the reasons to migrate from Linode to AWS?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.