How to check when your Let’s Encrypt SSL certificate expires and how to renew it

A few months ago I wrote a post on how to install a Let’s Encrypt SSL certificate on your Raspberry Pi, specifically for WordPress. And in that post, I go through the steps of setting up a cron job to auto renew the certificate before their 90-day expiration date.

However, what if you just want to check on your certificate just to see how much time is left on it, or maybe the cron job fails (it happens). After all, we’re curious humans with a need to know! Furthermore, what if you want to manually renew those certificates, because, again, we’re human and we like to do things the hard way sometimes. It reminds us that we’re ALIVE! (or something like that).

First off, let’s check how much time we have left on our current certificate. Note: All of these steps are assuming that you followed my previous post on setting this stuff up in the first place. If you didn’t, it may vary on your end.

I’ll be up front, there is no super easy way to do this for we Linux noobs. However, that’s where Google, the Let’s Encrypt community, and my site come together. We’ll start by opening up Terminal, then ssh’ing into our RPi. Then do the update dance for good measure:

sudo apt-get update && sudo apt-get upgrade -y

After that runs we’re going to install a program called ssl-cert-check;

sudo apt-get install ssl-cert-check

For transparency, I found out about this program from the Let’s Encrypt community forums. On that page, you can see some of the options. However, here, I’m getting right to it.

After that installs we can now run the program to check how much time is left on the installed SSL. Simply type (I’ll explain what you’re typing in a moment);

sudo ssl-cert-check -c /etc/letsencrypt/live/

Depending on your browser the text above may be split into two lines. However, it’s all one line. If all goes well, you should get an output like this:

So, what did you just type? Well, you called the program ssl-cert-check and gave it one of its options. In this case, we used -c which is used to “Print the expiration date for the PEM or PKCS12 formatted certificate in cert file.” After that, it’s the location of your certificate. Again, if you followed my install post then yours should look similar to what I typed out. The output shows how many days you have left. In my case, it was 50 days.

Now, what if you want to manually update the expiration date on your Let’s Encrypt SSL certificate? Possible scenarios that may lead to this, as noted above, may be that the cron job didn’t run or you never activated the cron job and now you have to do it manually anyway. Again, this is super easy too. Do note that Let’s Encrypt won’t let you update it outside of a 30-day window. That is, if you have more than 30 days left on the certificate, you can’t update it.

There are a few ways to do this and I’m only going to show you one (the easy one!). From your Terminal type;

sudo /etc/letsencrypt/certbot-auto renew

This is my output. Notice that it won’t renew as I’m still outside the 30-day window as noted in the above output message.

I hope I’ve covered all the issues that you may have run into with regard to updating your certs. It really does seem to be a big mystery for many, but it needn’t be. If you have any questions, or you noticed that I missed something, let me know.

Update, 4 June 2017:

It’s been long enough since my original post of adding SSL that I could renew, successfully. With that, here’s a screen shot of what it’ll look like-

Note that “Installing Python packages…” will take a bit. Especially on a Raspberry Pi. But stick with it, it’ll work.

Be First to Comment

Leave a Reply