Automation of Lets Encrypt certificate updates

Last modified on 3 Oct, 2023. Revision 18
Up to date for
cOS Core 14.00.10
Status OK
Johan Forsberg


Lets Encrypt certificates can be used in cOS Core for example to OneConnect, IKEv2 and HTTPS Management. The certificates are however only valid for only 90 days and needs to be renewed several times per year, which might be a hassle if done manually. Can the update procedure be automated?


A third-party reverse proxy, such as Nginx, is set up and configured. On that host, Certbot is configured to handle certificates for one or several domains. One of these certificates is configured with a domain name used by cOS Core. The IP of the firewall is and the administrator user is named “admin”.


The certificate file named fullchain.pem created by certbot contains the full chain with three (3) certificates.

Create three certificate objects under Objects / Key Ring, in this example they will be called MyCert, MyCert_C1 and MyCert_C2.

The first time fullchain.pem needs to be edited (in a text editor), the three certificates split to three files and uploaded to the three separate Key Ring certificate objects (MyCert, MyCert_C1 MyCert_C2). For the domain certificate MyCert the private key from the file privkey.pem also must be uploaded.

The domain certificate, in this example named MyCert, should then be selected as Certificate in cOS Core (under for example HTTPS Remote Management or IPsec Interfaces) and the other two, in this example called MyCert_C1 and MyCert_C2, as Root Certificates.

Solution Using SCP and SSH

From the host that handles the renewal of Lets Encrypt certificates, issue the following commands or include them in a script that is run periodically.

scp fullchain.pem admin@
scp privkey.pem admin@

This will upload the certificate file and the private key under the node named MyCert (which must already exist). After the ssh commands the configuration will be changed, but will not be activated and committed.

Note! The exact path of the certificate needs to be specified on the Linux host. Its usually in the format /etc/letsencrypt/live/<your_domain>/fullchain.pem

To also activate the configuration, use ssh:

ssh admin@ commit
sleep 5
ssh admin@ activate

Note! From a security perspective, its recommended to not run the script on the host that runs nginx/certbot but rather from a secure zone.

Warning! Automatically activating configurations can be dangerous since all other uncommitted changes also will be committed. One solution to the problem can for example be to only run the script at nights or weekends, and to make sure that uncommitted changes never are left over nights or weekends.

Solution Using cOS Core Built-in Lets Encrypt Handling

This feature is at the time of writing not released, but will be available under the second half of 2023.

Nginx and Certbot

Nginx: Nginx is a widely-used web server and reverse proxy server. It serves as an intermediary between clients and web servers, managing web traffic.

Certbot: Certbot is an open-source software tool designed to automate the setup and management of SSL/TLS certificates for web servers. It simplifies the process of obtaining and renewing certificates.

Related articles

Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core