How to update ssl certificates¶
Beautiful Canoe owns a small number of domains, which all hold SSL certificates provided by Let's Encrypt.
If one of these needs to be updated, an email will be sent to
In order to update a certificate, you need
ssh access to the relevant server, your account on the server should be capable of running
sudo and you should normally be on the
firstname.lastname@example.org mailing list.
If you are not on the mailing list, or you do not have privileges on the relevant server, and you believe you should have, please ask the CTO for advice.
Let's Encrypt cron jobs¶
By default, servers should have a
cron job set up to auto-renew certificates on a daily basis.
The EFF site says:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
A script such as the one below should be found in
# File /etc/cron.daily/update-ssl-certs
/opt/eff.org/certbot/venv/bin/certbot renew --quiet
Make sure to run
chmod +x on the file, and ensure that it is owned by
Also, check that
/etc/anacrontab contains the line:
so that debug output is read by an administrator and does not just sit on the server.
To test the script, add
--dry-run to the line that runs
certbot and run from the command line as root.
For more ideas on how to test cron jobs, this SO question is helpful.
Updating a certificate manually¶
Hopefully, all Beautiful Canoe servers have SSL update
cron jobs set up, so you should not need to update certificates manually.
However, if you have to, these are the steps to follow:
ssh in to the server, and look for the
This will usually be in
/opt/eff.org/, or occasionally the
certbot binary will be in
Next, run the
certbot tool to update SSL registration:
sudo ./certbot renew
For more information please see the Let's Encrypt documentation.