EE4 LetsEncrypt Renewl Cron


#1

Hello,

In EE3, LetsEncrypt renewal was dependent on cron set at crontab. I dont see much in the handbook on how LetsEncrypt renewal is handled in EE4. Anyone have any details?

Thank you


#2

As of v4.0.10 ee will automatically renew your certs for existing sites that were created before upgrading to 4.0.10, and for any new sites that you create from now on.

You can manually renew by running ee site ssl-renew example.com — iirc this command permits you to renew within 1 week of expiration but you can use --force to override this and renew whenever you need to (subject to LE’s rate limits). You can also renew all of your sites in one go with ee site ssl-renew --all

Something to note though; for wildcard certs ee will only automatically renew those if a CloudFlare API key is present. I’m not sure why this is…I think the TXT validation keys change when it comes time to renew, and by using CF and having an API key connected, ee would be able to update those records and subsequently be able to pull new certificates. Personally I hate CF but I think you can use it for DNS hosting only, without having to use their CDN or any other features — if that’s the case then I will probably use them for DNS, if I can have all their other features switched off. It would be a hassle having to manually renew all sites that use a wildcard cert.

Side note; I’m not sure if sites configured with wildcards are supported when you manually renew --all, I’ve yet to try it but I’m guessing it probably is if all of said sites are connected to CF DNS with an API key present.