A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).

Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.

If you manually run the renew.sh on the server without these additional steps this is what you get:

[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!

File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)


Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net


A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).

Once you do this you will see a fair amount of messages on the screen and eventually get to this:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le


Now when I manually try to renew the certificate I don't get any errors:

[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.



Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.

I guess we'll see if this all works at the end of February.
Darren Duke   |   December 9 2016 11:06:31 AM   |    ssl  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found