Renewing Let’s Encrypt SSL certificate
The other day I have received an email from the Let’s Encrypt Expiry Bot stating that my SSL certificate for the domain name lucaslouca.com is about to expire.
In this post I have extensively described how to setup a WordPress blog on an EC2 instance along with a Let’s Encrypt SSL certificate.
Since I don’t want my visitors to encounter any errors when visiting my site I had to renew my SSL certificate. Here are the commands I used to renew my certificate:
Before I run letsencrypt, I temporarily disabled /var/www/html/.htaccess:
# mv /var/www/html/.htaccess /var/www/html/.htaccess_
Run the letsencrypt command:
# /usr/local/letsencrypt/letsencrypt-auto renew --force-renew
with output:
Requesting root privileges to run certbot... /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt renew --force-renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/lucaslouca.com.conf ------------------------------------------------------------------------------- Renewing an existing certificate Performing the following challenges: http-01 challenge for lucaslouca.com Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/lucaslouca.com/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/lucaslouca.com/fullchain.pem (success)
Enabled /var/www/html/.htaccess again:
# mv /var/www/html/.htaccess_ /var/www/html/.htaccess
Finally, go ahead and restart your web server:
# service httpd restart
UPDATE
In case the above method does not work anymore, please try:
# sudo su - # mv /var/www/html/.htaccess /var/www/html/.htaccess_ # rm -rf /opt/eff.org/* # pip install -U certbot # certbot renew --debug # mv /var/www/html/.htaccess_ /var/www/html/.htaccess # service httpd restart
Or use the following commands to create new ones
# certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d www.econometrics.io -d econometrics.io
UPDATE 2
If you are hosting multiple websites (WordPress logs, Node.js applications, Jenkins, etc) on the same machine under different domains the easiest way is to have a temporary ssl.conf that you can use when running lets encrypt. I call it ssl_for_lets_encrypt_renewal.conf, it located at /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf and looks like so:
Listen 8443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <virtualhost *:80> RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] </virtualhost> <virtualhost *:443> ServerName fizzbuzzer.com ServerAlias www.fizzbuzzer.com DocumentRoot "/var/www/" ErrorLog logs/ssl_fizzbuzzer_error_log TransferLog logs/ssl_fizzbuzzer_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt/live/fizzbuzzer.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/fizzbuzzer.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/fizzbuzzer.com/chain.pem </virtualhost>
Then while I am in my home directory (/home/ec2-user) I run the following commands:
$ mv /etc/httpd/conf.d/ssl.conf . $ mv ssl_for_lets_encrypt_renewal.conf /etc/httpd/conf.d/ $ service httpd restart $ certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d www.econometrics.io -d econometrics.io -d sengiapp.com -d www.sengiapp.com // Here I choose the webroot option and set the web root to '/var/www' in the next step. $ mv /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf . $ mv ssl.conf /etc/httpd/conf.d/ $ service httpd restart