Automatic Let's Encrypt TLS certificate automatic renewal

[zuk22]

During docker compose up I received SSL certificate with the next message. The domain were replaced to sub.example.com for privacy reasons.

How can I make sure that it will be auto-renewed? Should I add something to the docker-compose.yml or enable cronjob anywhere?

The next command shows:

sudo certbot renew --force-renewal --dry-run
No simulated renewals were attempted.

Generating a temporary self-signed certificate. This certificate will be used until a proper certificate is issued by the CA server.
plausible-ce-plausible-1            | 07:44:59.113 [notice] Use of --no-self-upgrade is deprecated.
plausible-ce-plausible-1            | Saving debug log to /var/lib/plausible/site_encrypt/certbot/acme-v02.api.letsencrypt.org/log/letsencrypt.log
plausible-ce-plausible-1            | Account registered.
plausible-ce-plausible-1            | Requesting a certificate for sub.example.com
plausible-ce-plausible-1            |
plausible-ce-plausible-1            | Successfully received certificate.
plausible-ce-plausible-1            | Certificate is saved at: /var/lib/plausible/site_encrypt/certbot/acme-v02.api.letsencrypt.org/config/live/sub.example.com/fullchain.pem
plausible-ce-plausible-1            | Key is saved at:         /var/lib/plausible/site_encrypt/certbot/acme-v02.api.letsencrypt.org/config/live/sub.example.com/privkey.pem
plausible-ce-plausible-1            | This certificate expires on 2025-01-22.
plausible-ce-plausible-1            | These files will be updated when the certificate renews.
plausible-ce-plausible-1            | NEXT STEPS:
plausible-ce-plausible-1            | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
plausible-ce-plausible-1            |
plausible-ce-plausible-1            | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
plausible-ce-plausible-1            | If you like Certbot, please consider supporting our work by:
plausible-ce-plausible-1            |  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
plausible-ce-plausible-1            |  * Donating to EFF:                    https://eff.org/donate-le
plausible-ce-plausible-1            | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
plausible-ce-plausible-1            |
plausible-ce-plausible-1            | 07:44:59.114 [notice] Certificate successfully obtained! It is valid until 2025-01-22. Next renewal is scheduled for 2024-12-23.

[ruslandoga]

👋 @zuk22

It will be renewed automatically.

Next renewal is scheduled for 2024-12-23.

The log lines without timestamp and log level (e.g. 07:44:59.113 [notice]) come from certbot CLI that's called by Plausible on startup and 30 days before the active certificate expires and can be ignored unless there is an error. We might switch to a "native" ACME client in the future, but for now certbot seems to work fine.

[zuk22]

Awesome! Thank you for the quick response! 😊