193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
2016 the annus horribilis review
Mon, Dec 19th 2016 9
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 19
WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’
Mon, Oct 31st 2016 13
Switched to Let’s Encrypt for the blog SSL certificate
Wed, Sep 21st 2016 8
iNotes and IE Standards mode now seems to work in 9.0.1 FP7
Wed, Sep 14th 2016 8
9.0.1 FP7 and how to enable the new port encryption settings
Wed, Sep 14th 2016 11
The last ever (no really....) This Week In Lotus has been posted, number 115
Tue, Sep 6th 2016 5
Top 10
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 19
How to disable SSLv3 in Domino
Fri, Dec 12th 2014 14
TLS 1.2 in Domino and the settings I use
Mon, Apr 6th 2015 13
WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’
Mon, Oct 31st 2016 13
iNotes, IE11 and copy and paste images from the clipboard. How to enable it.
Thu, Jul 14th 2016 11
Idea - I’m going to open a PMR asking IBM to release 9.0.2....and you are invited to take part
Tue, Jul 19th 2016 11
9.0.1 FP7 and how to enable the new port encryption settings
Wed, Sep 14th 2016 11
Addendum to my Domino DBMT post (well, a correction)
Tue, Apr 8th 2014 9
So Domino and SHA2.....There’s a SPR for that
Wed, Aug 20th 2014 9
SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4
Thu, Jul 16th 2015 9


Renewing LetsEncrypt SSL certificates automatically with NginX
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Darren Duke    

A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).

Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.

If you manually run the renew.sh on the server without these additional steps this is what you get:

[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!

File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)


Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net


A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).

Once you do this you will see a fair amount of messages on the screen and eventually get to this:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le


Now when I manually try to renew the certificate I don't get any errors:

[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.



Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.

I guess we'll see if this all works at the end of February.

---------------------
https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/renewing-letsencrypt-ssl-certificates-automatically-with-nginx.htm
Dec 09, 2016
20 hits



Recent Blog Posts
9
2016 the annus horribilis review
Mon, Dec 19th 2016 2:30p   Darren Duke
Firefox started at 43, ended at 50 (they are slowing down....) Chrome started at 47, ended at 55 (they are speeding up....) IE....you know what? F**k IE. Still using Chrome as my primary browser, although Vivaldi is slowly taking over Didn't go Connect 16. Won't be at Connect 17. I already know what's going to happen....IBM is going to tell you about all the products that they promise * cognitive* is being added too. Like Verse (2 years ago?) and Toscana. "No, really we are" the
20
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 4:06p   Darren Duke
A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly). Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps. If you manually run the renew.sh on the server without these additional steps thi
13
WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’
Mon, Oct 31st 2016 10:14a   Darren Duke
A long time ago, before IBM came down like a hammer, there was a podcast. We really enjoyed doing This Week In Lotus, but it became a bit untenable as IBM threatened all kinds of stuff (including revoking *my* Champion status.....) so we stopped. But IBM kept doing "WTF?" kinds of things.....canceling 9.0.2, going to fix packs only, spreading Java 8 out over a year (from now). After getting together at MWLUG, Stuart and I started to reminisce and we started thinking about saddling up again.
8
Switched to Let’s Encrypt for the blog SSL certificate
Wed, Sep 21st 2016 12:25p   Darren Duke
I had switched the blog to SSL a while back (mainly due to Google threatening that non-SSL website will take a hit in searches). At the time Let's Encrypt (the free, yes free, CA SSL issuer) was just getting started and didn't have roots published to most of the browser root stores. Because of this I went with free certificate available from Start SSL. I'm not disappointed with StartSSL, it's just time to try something else when the StartSSL certificate expired. In fact if you need anything
8
iNotes and IE Standards mode now seems to work in 9.0.1 FP7
Wed, Sep 14th 2016 10:28a   Darren Duke
I had praised, then lamented the new-ish iNotes forms templates that allow you do copy and paste images from the clipboard into IE. Well, with FP7 IBM (so far) seem to have addressed the issue search issue that forced me to disable this again. It's now back on for my servers. Let's see how long before I lament this again. It is probably work pointing out that Ulrich Krause is reporting issues with the "normal" iNotes forms9.nsf shipped in FP7. I have not seen the issue he reported in t
11
9.0.1 FP7 and how to enable the new port encryption settings
Wed, Sep 14th 2016 4:59a   Darren Duke
9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page. So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined thi
5
The last ever (no really....) This Week In Lotus has been posted, number 115
Tue, Sep 6th 2016 9:26a   Darren Duke
Stuart, myself and Jesse Gallagher join for the weekly bi-annual podcast for one last time....listen to it here: http://thisweekinlotus.com/115-doing-a-three-way/ There is also an exciting announcement at the end.....
4
Using Hawthorn gold code? Want IBM to add SQL Server support? Here’s the SPR you’ll want to add your name to....
Mon, Aug 29th 2016 2:09p   Darren Duke
Hawthrorn 2.0, AKA IBM Mail Support for Microsoft Outlook, AKA IMSMO has recently been released. One of the main install differences between GA (2.0) and LA (1.0) code is that GA requires use of IBM DB2 as a state store for the IMSMO Domino server (whereas 1.0 had no such requirement). Most organizations can count on the fingers of no hands how may DB2 servers they have, so you'd expect IBM to support MS SQL server right? You'd be wrong. You along with me are a moron, and no one's ever ask
6
There is no 9.0.2. Dead. Canceled. Killed.
Wed, Aug 24th 2016 3:26p   Darren Duke
Originally 9.0.2 was scheduled for release in late 2015. Then February 2016 (this would have been 28 months since 9.0.1 shipped) Then 2H 2016. Then 2017. Now, well, never (if the scuttlebutt at MWLUG is to be believed, and I do believe it). It was pushed for many reasons, notably to get Verse out of the door. As I mentioned in this post (9.0.2 where for art thou?) and this one (my customers don't want mail next) I've ranted and raved about this before. To no avail. Well,
3
Unable to view embedded SlideShare presentations in Chrome? Try this.....
Mon, Aug 22nd 2016 4:34p   Darren Duke
The first page of the presentation displays fine, but you can't navigate to any other slide or use any other actions (like the image below): The fix it is to allow 3rd party cookies from SlideShare.net. You can do this in the Chrome settings page, like this: Then, manage exceptions: Add the following to the hostname pattern: [*.]slideshare.net Like this: You can now navigate embedded SlideShare presentations.




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition