Certbot Automation for Java-based Servers (Cheat Sheet)
Date published: 2018-03-20
Last updated: 2018-04-11
Automate everything, starting with your environment.
Certbot does not (as of this writing) allow customization of the port number verification is performed on. For servers such as Nginx, there is already out of the box support which enables you to renew without taking your primary server offline. However, if you are operating an unsupported Java-based server, how might one go about automating LetsEncrypt renewals?
- Set up a cron job for a script which will:
- Run once every day during off-peak hours
- Extract and compute the days left before expiration
- Shutdown redirect server on port 80
- Shutdown the primary server that is receiving forwarding from incoming port 443
- Modify iptable rules if needed for port 80 to allow certbot standalone
- Run certbot standalone
- If expiration is still more than 30 days away, use dry-run mode
- If the cert will in 30 days or less, attempt the actual renewal
- If the renewal succeeded, repackage into keystore used by your Java-based server
- Reset iptable rules back to the primary server config
- Relaunch primary server
Bonus points for:
- Email notifications throughout the various stages for PASS/FAIL
Once you've automated this by having it run daily, you'll be ready when Let's Encrypt starts shortening the lifetime of the certs. Attempting renewals starting at 30 days before expiration gives you plenty of chances and advance warning in case Let's Encrypt servers are down.
After everything is stable, submit your host to hstspreload.org and consider adding a CAA (Certification Authority Authorization) DNS record.
Other articles on this web site:
- Automating the set up of a Linux-based VPS (Cheat Sheet) | 2018-03-21
Considerations when configuring a Debian-based Linux VPS.
- Secure Server Implementation (Cheat Sheet) | 2018-09-05
Creating a secure Java server without using a framework.
- Designing a Server Monitoring and Alerting Service (Cheat Sheet) | 2018-09-05
A checklist of items when rolling your own server monitoring service.
- Automate everything you possibly can. | 2018-09-05
Automate everything you possibly can from the very beginning before writing the first line of project code.