“I’m not a DevOps engineer, but I play one in production.”
Tired of manually renewing SSL certs every 90 days like it’s a Tamagotchi from 2005?
This guide is for you: developers who want HTTPS without DevOps nightmares.
🤔 Why Certbot?
Because:
- It's free (thanks, Let's Encrypt).
- It works (thanks, Certbot).
- It renews itself (mostly).
- And most importantly: you can get back to writing code instead of deciphering NGINX logs at 3AM.
🧪 Step 1 — Install Certbot
sudo apt update sudo apt install certbot Boom. That’s it. The easy part.
📜 Step 2 — Get your first SSL cert
sudo certbot certonly --standalone \ -d yourdomain.com -d www.yourdomain.com Check what you got:
sudo certbot certificates 🧠 Heads-up:
--standaloneruns a temporary HTTP server on port 80.
If you're using Nginx or Docker, stop them first or use--webroot.
More information about plugins can be found in the official documentation.
🔁 Step 3 — Let it renew itself (like magic)
Certbot installs a systemd timer by default:
systemctl list-timers | grep certbot You can see output like:
Mon 2025-03-10 03:12:00 UTC 10h left Mon 2025-03-09 03:12:00 UTC certbot.timer certbot.service Test if it works:
sudo certbot renew --dry-run You should see something like:
Certbot dry-run was successful. 📅 Certbot renews certificates when they’re 30 days from expiry.
Latest update logs:
journalctl -u certbot.service --no-pager --since "2 days ago" 🧓 Prefer old-school cron? No problem
Disable the timer:
sudo systemctl stop certbot.timer sudo systemctl disable certbot.timer Then add this to your crontab (sudo crontab -e):
0 0 1 * * /usr/bin/certbot renew --standalone --quiet To find out the exact path to certbot, use:
which certbot Because nothing says “legacy and proud” like a 1AM cron job.
🧙 Use Hooks Like a Wizard
Automatically stop/start your services when certs are renewed.
Open your renewal config:
sudo nano /etc/letsencrypt/renewal/yourdomain.com.conf Add:
pre_hook = systemctl stop your-app.service deploy_hook = systemctl reload your-app.service post_hook = systemctl start your-app.service Perfect when you want Certbot to renew certs and do the dishes.
🛠 Bonus: Bash Script of Champions
This is what you actually wanted — a copy-pasteable script to handle everything:
#!/bin/bash APP_PATH="/home/you/yourapp" DOMAIN="yourdomain.com" FULL_CHAIN="/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" PRIVATE_KEY="/etc/letsencrypt/live/${DOMAIN}/privkey.pem" CRT_DEST="${APP_PATH}/ssl/${DOMAIN}.crt" KEY_DEST="${APP_PATH}/ssl/${DOMAIN}.key" echo "[$(date)] Stopping the service..." systemctl stop your-app.service echo "Renewing certs silently..." /usr/bin/certbot renew --standalone --quiet echo "Copying certs like a pro..." cp -f "$FULL_CHAIN" "$CRT_DEST" cp -f "$PRIVATE_KEY" "$KEY_DEST" chmod 644 "$CRT_DEST" "$KEY_DEST" echo "Starting the service again..." systemctl start your-app.service echo "🎉 All done. Go grab a coffee." Crontab it like a boss:
0 0 1 * * /bin/bash /home/you/scripts/renew-ssl.sh >> /var/log/certbot.log 2>&1 🧠 Final Thoughts
SSL shouldn't be harder than writing JavaScript regex.
Certbot + Let’s Encrypt is one of those rare tools that actually “just works” — if you let it.
✅ Works with cron
✅ Supports systemd
✅ Has deploy hooks
✅ Costs $0
Just test it every now and then. Let automation do its thing.
And for the love of uptime — back up your certs.
Top comments (1)
Very Helpful Article