Renewing a letsencrypt certificate
Problem
$ bavarde client
> 2020-07-20 19:17:55 ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1121)
2020-07-20 19:17:56 ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1121)
2020-07-20 19:17:58 ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1121)
2020-07-20 19:17:59 ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1121)
2020-07-20 19:18:00 ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1121)
^C
Aborted!Your certificate will expire, every 3 months when using the free ones from lets encrypt. The good news is that updating a cert is pretty easy thanks to the certbot tool. I use nginx as a proxy in front of the cobra server that runs at jeanserge.com, so this is where my certificates path are referenced.
Solution
Step 1
Edit your SSL section in nginx config file ... mine is here /etc/nginx/conf.d/default.conf
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/jeanserge.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jeanserge.com/privkey.pem;
# Comment this block when running certbot renew
# This way cobra will not handle your request, and the ACME protocol can
# run and find the file that will be written
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
# Un-comment this when running certbot renew
# root /var/www/html;Step 2
As a root user:
certbot renewI did not take notes the first time I did this ... I think I did this.
certbot certonly --email my@email.com -d jeanserge.comStep 3
Just restore your previous nginx config file.
Even better Solution
Automate everything I just did:
- With a cron file that runs every 2 months maybe.
- Duplicates the nginx config files, so that we have 2 versions.
- A shell script overrides the current one, go
nginx -s reload, runcertbot renew, copy back the 'good' nginx config file.
Younger myself would have done it, but it's dinner time and current myself might do it in 2 months :)
Wildcard SSL certificate
Instructions are slightly different if you are working with a wildcard cert. Follow this guide.
certbot certonly --manual --email my@email.com -d *.jeanserge.comYou will need to add a TXT record through your DNS provider (I use godaddy because I'm a dad). You'll have to wait a bit, and you can use dig to check that the TXT record is available. If the AUTHORITY SECTION is not empty it means you're good to go (and press enter at the certbot prompt.
bsergean.github.io$ dig _acme-challenge.jeanserge.com
; <<>> DiG 9.10.6 <<>> _acme-challenge.jeanserge.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60458
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.jeanserge.com. IN A
;; AUTHORITY SECTION:
jeanserge.com. 900 IN SOA ns55.domaincontrol.com. dns.jomax.net. 2020081404 28800 7200 604800 3600
;; Query time: 30 msec
;; SERVER: 192.168.169.200#53(192.168.169.200)
;; WHEN: Fri Aug 14 14:44:20 PDT 2020
;; MSG SIZE rcvd: 126Now we can press enter at the certbot prompt.
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jeanserge.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jeanserge.com-0001/privkey.pem
Your cert will expire on 2020-11-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by: ...Renewing the wildcard cert seems to work differently, the previous instructions did not work 3 months later ... to renew my cert I had to stop nginx, and then:
certbot certonly -d jeanserge.com