Letsencrypt certificates are valid for 90 days only. Thus an automatic renewal is desirable. The following script is checking for remaining validity of at least 30 days, further it is checked if all domains are included in the certificate:



for DOMAIN in "$@"
 openssl x509 -in /etc/letsencrypt/live/$1/cert.pem -noout -text | grep DNS:${DOMAIN} > /dev/null || exit 1
CERT=$(date -d "$(openssl x509 -in /etc/letsencrypt/live/$1/cert.pem -enddate -noout | cut -d'=' -f2)" "+%s")
CURRENT=$(date "+%s")
REMAINING=$((($CERT - $CURRENT) / 60 / 60 / 24))
[ "$REMAINING" -gt "30" ] || exit 1
echo Domains $@ are in cert and cert is valid for $REMAINING days

It only requires bash and openssl and can be used in a daily cronjob / crontab entry as follows:

6 20 * * * /usr/local/bin/check_letsencrypt_cert.sh domain.de www.domain.de > /dev/null ||/opt/letsencrypt/letsencrypt-auto -d domain.de -d www.domain.de certonly

A complete solution for setting up letsencrypt via salt can be found in my letsencrypt-formula.