A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).

Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.


If you manually run the renew.sh on the server without these additional steps this is what you get:


[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log


-------------------------------------------------------------------------------

Processing /etc/letsencrypt/renewal/darrenduke.net.conf

-------------------------------------------------------------------------------

Cert is due for renewal, auto-renewing...

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Renewing an existing certificate

Performing the following challenges:

tls-sni-01 challenge for darrenduke.net

tls-sni-01 challenge for blog.darrenduke.com

tls-sni-01 challenge for blog.darrenduke.net

tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges

Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

The Let's Encrypt cert has not been renewed!


File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)



Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.


./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net


A few notes, check that the
webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).

Once you do this you will see a fair amount of messages on the screen and eventually get to this:


IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will

expire on 2017-03-09. To obtain a new or tweaked version of this

certificate in the future, simply run letsencrypt-auto again. To

non-interactively renew *all* of your certificates, run

"letsencrypt-auto renew"

- If you like Certbot, please consider supporting our work by:


Donating to ISRG / Let's Encrypt:  
https://letsencrypt.org/donate
Donating to EFF:                    
https://eff.org/donate-le


Now when I manually try to renew the certificate I don't get any errors:


[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log


-------------------------------------------------------------------------------

Processing /etc/letsencrypt/renewal/darrenduke.net.conf

-------------------------------------------------------------------------------

Cert not yet due for renewal


The following certs are not due for renewal yet:

/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)

No renewals were attempted.




Another thing worth noting is that I appended
--nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.

I guess we'll see if this all works at the end of February.
Darren Duke   |   December 9 2016 10:06:31 AM   |    ssl  security  letsencrypt    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found