With the recent federal government shutdown, it’s quite apparent their IT administrators still renew SSL certificates manually since many government websites went offline after the certs expired. Politics aside, since having secured connection and valid certificates are important these days, it should be a point for administrators to start automating the process. At the very least, have a project or plan in place to anticipate the shutdown and go through all of the important websites for possible cert renewals, 1-2 months in advance. As an Enterprise administrator, it’s also essential to have alerts or calendar reminders to renew an expiring cert. However, the best solution is to setup an automated job.
This is where tools out there like getssl and certbot can help. For this website, getssl is used to automate the SSL renewal process. The key processes are as follows:
Ensure Apache web server is setup. Since getssl relies on obtaining the proper “ACME” code from the target website to confirm the correct URL host, a regular port 80 HTTP connection must be made available first.
Per getssl documentation, run the inital setup to create the proper folders and files in $HOME/.getssl
getssl -c yourdomain.com
Edit the getssl.cfg in $HOME/.getssl/yourdomain.com folder with the correct directory for Apache web server’s doc-root and configuration files. Note, package installed Apache HTTPD uses /etc/apache2 as the default config directory.
When getssl is all setup, create a crontab to run getssl twice every month, for timely renewal (within 30 days). Be sure to restart Apache HTTPD to make sure the web server reloads the latest cert files.
0 9 1,15 * * $HOME/getssl/getssl -u -a > $HOME/getssl/getssl.out.txt 2>&1