Generate and auto-renew your SSL certificates

Updated 21 July 2023

In my last blog, we learned how to general SSL certificates, here we will learn how to renew those free SSL certificates using the Lego client.

If you are running a website using the nonprofit Certificate Authority i.e, Let’s Encrypt certificate, then you are probably aware that you need to renew the certificate every 90 days, and you could also automate the renewing process every 60 days or so before the expiration date.

Let’s Encrypt is a global Certificate Authority (CA) That lets people and organizations around the world obtain, renew and manage SSL/TLS certificates.


To follow this article, you need to have the following:

  1. You have an account on Cloudflare.
  2. Your site is running on a Linux machine using Apache or Nginx.
  3. Your site is up and running with the Lego client installed. The Lego client simplifies the process of Let’s Encrypt Certificate generation. You could use the following commands to install the Lego client.

Lego – LetsEncrypt client

Lego is a Let’s Encrypt client and ACME library written in Go.

Install Lego

Note: At the time of this writing, we are using version 4.9.1 for Lego.

These are the steps to download, extract and copy the Lego client to a directory in your path.

Create a Cloudflare API key or Token

First, you need to create an API key that has ‘Read‘ access to the zone of your domain and permission to ‘Edit‘ DNS in Cloudflare. API Tokens use the standard Authorization.

To create your API Token go to the ‘API Tokens’ section of your user profile which can be found at

There are two ways to create your token – You can either create it from scratch through the “Create Custom Token” option or you can start with a predefined template, by selecting “Use template”, here, in this case, we will use the “Edit zone DNS” template to create an API Token that can edit a single zone’s DNS records.

once the template is selected, you need to pick a zone for the API token.

Notice that the DNS Edit permission was already pre-selected. Enter a token descriptive name, then add one more permission-giving zone Read access as shown in the figure below

Once you select “Continue to the summary”, you are given a chance to review the selection.

Here, the resources and permissions are quite simple, but this gives you a chance to make sure you are giving the API Token exactly the correct amount of privilege before creating it.

Once created, you are presented with the API Token. This screen is the only time you will be presented with the secret so be sure to put the secret in a safe place!

Anyone with this secret can perform the granted actions on the resources specified to protect it like a password.

In the below screenshot, we have black-box the secret for obvious reasons. If you happen to lose the secret, you can always regenerate it from the API Tokens table so you don’t have to configure all the permission again

In addition to the secret itself, this page provides an example curl request that can be used to verify that the token was successfully created

Now, Generate a Let’s Encrypt Certificate

If you want to generate a new certificate for your domain, browse to the Lego installation directory and then run the following commands

Note: Please remember to replace your CLOUDFLARE_AND_API_TOKEN value, the Domain placeholder with your actual domain name, and the Email-Address placeholder with your email address

Then you will receive two folders within /opt/certs/letsencrypt/

Here, you need to map this key from your web server

Restart your webserver, go to the browser and Enter your domain

The SSL has been configured successfully with a validity of 90 days as shown in the above screenshot.

Now, to automatically renew your certificates before they expire, you need to write a script to perform the above tasks and schedule a cron job to run the script periodically (E.g every 60 days ).

Take the following steps –

Write a script to renew the SSL certificate at the following path, you can change the path based on your installation.

nano editor will open the file, enter the following content into the script and save it depending on if you have Apache and Nginx

Please remember to replace your CLOUDFLARE_AND_API_TOKEN value, the Domain placeholder with your actual domain name, and the Email-Address placeholder with your email address

For Apache:

For Nginx :

Then press Ctrl+X to save the script and exit the nano editor.

Next, you need to make the script executable using the following command

Next, execute the following command to open the crontab editor

Finally, add the below line lines to the crontab file and then press Ctrl + X to save it and exit the nano editor

0 0 * * * bash /opt/certs/letsencrypt/scripts/ 2> /dev/null

[0 0 * * *] is equivalent that the script will run automatically everyday and renew the certificate 10 days ago from the expire date

This is the whole process to generate your SSL certificate as well as renew your SSL certificate

For Magento 2 Elastic search, please follow the –

Our Cloudkul Blogs

Elasticsearch, Fluentd, and Kibana (EFK) 

Setting up Elasticsearch, Logstash, and Kibana for centralized logging

Managing and Monitoring Magento 2 logs with Kibana

Our store modules –

Magento 2 Elasticsearch

EFK Setup for Magento 2

You may also visit our Magento development services and quality  Magento 2 Extensions.

For further help or query, please contact us or raise a ticket.

. . .

Leave a Comment

Your email address will not be published. Required fields are marked*

Be the first to comment.

Start a Project

    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home