Certbot Timer¶
SSL-Zertifikats-Erneuerung.
Certbot Installation¶
sudo apt update
sudo apt install certbot python3-certbot-nginx
Timer einrichten¶
Systemd Timer erstellen¶
sudo nano /etc/systemd/system/certbot-renewal.timer
[Unit]
Description=Certbot Renewal Timer
[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=3600
[Install]
WantedBy=timers.target
sudo nano /etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal Service
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --no-self-upgrade
ExecStartPost=/bin/systemctl reload nginx
ExecStartPost=/bin/systemctl reload postfix
ExecStartPost=/bin/systemctl reload dovecot
Timer aktivieren¶
sudo systemctl daemon-reload
sudo systemctl enable certbot-renewal.timer
sudo systemctl start certbot-renewal.timer
Timer-Status prüfen¶
# Timer-Status
sudo systemctl list-timers certbot-renewal.timer
# Service-Logs
sudo journalctl -u certbot-renewal.service
# Nächste Ausführung
systemctl show certbot-renewal.timer --property=NextElapseUSecRealtime
Certbot-Konfiguration¶
Renewal-Konfiguration¶
sudo nano /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
[renewalparams]
account = ACCOUNT_ID
authenticator = nginx
installer = nginx
rsa_key_size = 4096
pre_hook = systemctl stop nginx
post_hook = systemctl start nginx
Globale Konfiguration¶
sudo nano /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh
#!/bin/bash
# Nginx nach Erneuerung neu laden
systemctl reload nginx
# Postfix neu laden (falls Mail-Zertifikate)
if [ -f /etc/postfix/main.cf ]; then
systemctl reload postfix
fi
# Dovecot neu laden (falls Mail-Zertifikate)
if [ -f /etc/dovecot/dovecot.conf ]; then
systemctl reload dovecot
fi
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh
Manuelles Testen¶
Dry-Run¶
sudo certbot renew --dry-run
Erneuerung erzwingen¶
sudo certbot renew --force-renewal
Renewal-Status¶
sudo certbot certificates
Monitoring¶
Renewal-Status Script¶
#!/bin/bash
# SSL-Zertifikats-Überwachung
DOMAINS="example.com www.example.com mail.example.com"
WARNING_DAYS=30
LOG_FILE="/var/log/cert-monitor.log"
for domain in $DOMAINS; do
EXPIRY_DATE=$(openssl s_client -connect $domain:443 -servername $domain 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - CURRENT_EPOCH) / 86400 ))
if [ $DAYS_LEFT -lt $WARNING_DAYS ]; then
echo "WARNUNG: $domain läuft in $DAYS_LEFT Tagen ab" >> $LOG_FILE
echo "SSL-Zertifikat für $domain läuft in $DAYS_LEFT Tagen ab" | mail -s "SSL-Warnung" admin@example.com
else
echo "OK: $domain läuft in $DAYS_LEFT Tagen ab" >> $LOG_FILE
fi
done
echo "SSL-Überprüfung abgeschlossen: $(date)" >> $LOG_FILE
Cron Job für Monitoring¶
sudo nano /etc/cron.daily/ssl-monitor
#!/bin/bash
/usr/local/bin/ssl-monitor.sh
sudo chmod +x /etc/cron.daily/ssl-monitor
Automatisierung¶
Multi-Domain Script¶
#!/bin/bash
# Multi-Domain SSL-Erneuerung
DOMAINS_FILE="/etc/certbot/domains.txt"
WEBROOT="/var/www/html"
while read -r domain; do
echo "Verarbeite $domain..."
# Zertifikat anfordern/erneuern
certbot certonly \
--webroot \
--webroot-path=$WEBROOT \
--email admin@example.com \
--agree-tos \
--no-eff-email \
--force-renewal \
-d $domain \
-d www.$domain
# Nginx-Konfiguration aktualisieren
if [ $? -eq 0 ]; then
echo "Zertifikat für $domain erneuert"
# Hier Nginx-Konfiguration aktualisieren
fi
done < "$DOMAINS_FILE"
# Nginx neu laden
systemctl reload nginx
Wildcard-Zertifikate¶
# Wildcard-Zertifikat anfordern
certbot certonly \
--manual \
--preferred-challenges dns \
--email admin@example.com \
--agree-tos \
--no-eff-email \
-d example.com \
-d *.example.com
Zurück zur Monitoring-Übersicht