December 9 2016 Friday
Renewing LetsEncrypt SSL certificates automatically with NginX
A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).
Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.
If you manually run the renew.sh on the server without these additional steps this is what you get:
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)
Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.
A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).
Once you do this you will see a fair amount of messages on the screen and eventually get to this:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now when I manually try to renew the certificate I don't get any errors:
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.
Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.
I guess we'll see if this all works at the end of February.
Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.
If you manually run the renew.sh on the server without these additional steps this is what you get:
[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in
Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.
./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net
A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).
Once you do this you will see a fair amount of messages on the screen and eventually get to this:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now when I manually try to renew the certificate I don't get any errors:
[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.
Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.
I guess we'll see if this all works at the end of February.
Darren Duke
|
December 9 2016 10:06:31 AM
|
ssl security letsencrypt
|