Can I use Certbot to add a Lets Encrypt certificate as a stop gap between yearly renewals?

Question

I had a SSL certificate expire over the weekend, the client had missed the renewal email, and obviously they were not happy their site was displaying SSL warnings.

As I've been using Lets Encrypt on a number of sites now, I wondered if I could use Certbot to check a purchased certificates expiry and replace it with a Lets Encrypt Cetificate in between SSL renewals. Does someone know if something like that would work. I'm concerned that the renewal of the purchased certificate could be messed up by it, and I'm not sure if there would be any additional setup for Certbot to work this way.

Does anyone have some advice of how best to handle SSL renewals. Really just need some guidance here.

Answer 1

Yes, replacing a yearly cert with Letsencrypt will prevent further issues where manual intervention is required.

1) Install Certbot 2) issue your first certificate, include any pre-post hooks to ensure the new certificate is loaded on renewal (nginx restart, etc). Set your renewal/account email to either a ticket system or distribution list (if you leave, someone else checks on failed renewals). I recommend using webroot, there's a ton of documentation on how to do this. 3) setup cron to run certbot renew every so often, (during a time you can restart the service without negative impact on users, but within a time you can quickly fix any issues that come up).

No, Certbot is not a monitoring tool for 3rd party services, checkout 3rd party services for this. Also remember, certbot is an ACME client, which is what Letsencrypt uses.

Answer 2

The script could have errors, I didn't test it! Please, do not run it at production. But I belive it should be something like this:

#!/bin/bash
my_domain=example.com
my_ip=88.208.57.20 # could be example.com
my_port=443
seconds=86400 # 24h
cert_bot_cert="/etc/letsencrypt/live/$my_domain/fullchain.pem"
cert_bot_key="/etc/letsencrypt/live/$my_domain/privkey.pem"
native_cert="/etc/nginx/ssl/$mydomain/cert.crt"
native_key="/etc/nginx/ssl/$mydomain/key.key"  

function certrw {    
    cat $cer_bot_cert > $native_cert && cat $cert_bot_key > $native_key && nginx -t && service nginx reload
}

expire_date=$(date -d "$(echo | openssl s_client -servername $my_domain -connect $my_ip:$my_port 2>/dev/null | openssl x509 -noout -dates|grep notAfter|cut -d '=' -f2)" +%s)
today=$(date +%s)
diff=$(echo $expire_date-$today|bc)
if [ $diff -lt $seconds ];then
     certbot certonly --webroot -w /var/www/letsencrypt/ -d $my_domain && certrw
fi