Linux: Tips n Tricks: Nginx

Tuesday, April 14, 2026

How to Automate TLS Certificate Renewals on Linux Before Short Lifetimes Become a Problem

Part 5 of 6

Shorter TLS certificate lifetimes mean manual renewal is no longer enough. Here is how Linux admins can automate renewals safely.

Introduction

Once certificate lifetimes start shrinking, the obvious question becomes: how do we keep up without turning certificate renewals into a monthly headache?

The answer is automation.

Use ACME-based renewal

Most modern certificate automation is built around ACME, the protocol used by tools such as Certbot, acme.sh, and lego.

For many Linux users, Certbot is the easiest starting point. A simple test command is:

sudo certbot renew --dry-run

This is useful because it checks whether your renewal process works before expiry becomes urgent.

Use systemd for automation

# /etc/systemd/system/tls-renew.service
[Unit]
Description=Renew TLS certificates

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
ExecStartPost=/bin/systemctl reload nginx.service

# /etc/systemd/system/tls-renew.timer
[Unit]
Description=Run TLS renewal twice daily

[Timer]
OnCalendar=*-*-* 03,15:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

This pattern is useful because renewal becomes automatic, Nginx reloads after successful renewal, the timer spreads load with a random delay, and the system keeps working after reboots because the timer is persistent.

Choose the right validation method

HTTP-01 is often easiest for standard websites.

DNS-01 is usually needed for wildcard certificates and more complex environments.

The important mindset change is this: do not treat certificate renewal like a note on your calendar. Treat it like a routine automated operating task.

Closing thoughts

The admins who automate early will handle future certificate lifetime reductions much more easily than the ones still renewing by hand.

How to Check If Your Linux Server Uses an Affected DigiCert Certificate Chain

Part 3 of 6

A practical Linux guide to inspecting TLS certificate chains with OpenSSL before DigiCert trust changes cause browser errors.

Introduction

Once you know that browser trust changes are coming, the next question is obvious: how do you check whether your own server is affected?

The good news is that Linux gives you simple tools for this. One of the easiest ways is to inspect the live TLS chain with OpenSSL.

Basic OpenSSL check

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

This shows the certificate chain presented by the remote server.

Save and inspect each certificate

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null \
  | awk '/BEGIN CERTIFICATE/{i++} {print > ("cert-" i ".pem")}'

for f in cert-*.pem; do
  echo "==== $f ===="
  openssl x509 -in "$f" -noout -subject -issuer -dates
done

This helps you review each certificate in the chain and see who issued it, who it belongs to, when it starts and ends, and whether the issuer looks like an old or current DigiCert hierarchy.

Also check your web server configuration

For Nginx, the certificate file usually needs to contain the leaf certificate followed by the required intermediate certificates in the correct order.

You should also ask yourself a few questions:

Do we pin roots or intermediates anywhere?
Do we use Java keystores or custom trust stores?
Do we have containers, appliances, or internal services that assume a certain chain?

If you find that your server is still presenting an older path, the usual fix is to reissue or renew the certificate onto a supported hierarchy and then test the new chain before rolling it out.

Closing thoughts

A live certificate check takes only a few minutes, but it can save you from a very confusing browser outage later.