Auto Renewal

Learning Focus

By the end of this lesson you will know how to set up automatic certificate renewal with reload hooks.

Why Auto Renewal Matters

Let's Encrypt certificates expire every 90 days. Without auto-renewal, your site will start showing certificate errors.

Setting Up Auto Renewal

Certbot Timer (Default)

Certbot installs a systemd timer that checks for renewals twice daily:

# Verify the timer is active
sudo systemctl status certbot.timer

# Check upcoming renewals
sudo certbot certificates

Adding an OpenLiteSpeed Reload Hook

After renewal, OpenLiteSpeed must reload to use the new certificate:

# Create a deploy hook
cat > /etc/letsencrypt/renewal-hooks/deploy/reload-ols.sh << 'EOF'
#!/bin/bash
/usr/local/lsws/bin/lswsctrl restart
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-ols.sh

# Test renewal with dry run
sudo certbot renew --dry-run

warning

Without the reload hook, OpenLiteSpeed continues serving the old certificate from memory even after the new one is on disk.

Key Takeaways

Let's Encrypt certificates expire in 90 days — auto-renewal is essential.
Add a deploy hook that reloads OpenLiteSpeed after each renewal.
Test with --dry-run to verify the renewal workflow works.

What's Next

Return to the Security module for the complete overview.

Why Auto Renewal Matters​

Setting Up Auto Renewal​

Certbot Timer (Default)​

Adding an OpenLiteSpeed Reload Hook​

Key Takeaways​

What's Next​