Part 5 of 6
Shorter TLS certificate lifetimes mean manual renewal is no longer enough. Here is how Linux admins can automate renewals safely.
Introduction
Once certificate lifetimes start shrinking, the obvious question becomes: how do we keep up without turning certificate renewals into a monthly headache?
The answer is automation.
Use ACME-based renewal
Most modern certificate automation is built around ACME, the protocol used by tools such as Certbot, acme.sh, and lego.
For many Linux users, Certbot is the easiest starting point. A simple test command is:
sudo certbot renew --dry-runThis is useful because it checks whether your renewal process works before expiry becomes urgent.
Use systemd for automation
# /etc/systemd/system/tls-renew.service
[Unit]
Description=Renew TLS certificates
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
ExecStartPost=/bin/systemctl reload nginx.service# /etc/systemd/system/tls-renew.timer
[Unit]
Description=Run TLS renewal twice daily
[Timer]
OnCalendar=*-*-* 03,15:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.targetThis pattern is useful because renewal becomes automatic, Nginx reloads after successful renewal, the timer spreads load with a random delay, and the system keeps working after reboots because the timer is persistent.
Choose the right validation method
HTTP-01 is often easiest for standard websites.
DNS-01 is usually needed for wildcard certificates and more complex environments.
The important mindset change is this: do not treat certificate renewal like a note on your calendar. Treat it like a routine automated operating task.
Closing thoughts
The admins who automate early will handle future certificate lifetime reductions much more easily than the ones still renewing by hand.
Read next: My 2026 Certificate Checklist for Linux Admins and Website Owners
No comments:
Post a Comment