Next step on my Let’s Encrypt travels are to set up automatic renewal of the certificates, because each certificate is only valid for 90 days.

The following is the config file I use:

# webroot.ini

# the key size
rsa-key-size = 4096

# automatically agree to the terms of service 
agree-tos = True

# renew certs by default
renew-by-default = True

# use webroot authenticator
authenticator = webroot

and this is the command I run to renew the certificate:

$ ./letsencrypt-auto \
    -c /etc/letsencrypt/webroot.ini \
    -w /var/www/<DOMAIN>/public_html \
    -d <DOMAIN> \

If the same certificate is being used for multiple domains you can specify each webroot domain pair in your command:

-w /var/www/<DOMAIN_1>/public_html \
-d <DOMAIN_1> \
-w /var/www/<DOMAIN_2>/public_html \
-d <DOMAIN_2>

Having to run the command manually would be a crazy, a daily crontab checks how long it’s been since the previous run, and if it’s been 86 days since the previous run, the certificate will be renewed.

There are still a couple of outstanding tasks, both CloudFront related. One to test a 4096 key, and the other to automate uploading the certificate. Almost there :)