Renewing Let’s Encrypt SSL certificate
The other day I have received an email from the Let’s Encrypt Expiry Bot stating that my SSL certificate for the domain name lucaslouca.com is about to expire.
In this post I have extensively described how to setup a WordPress blog on an EC2 instance along with a Let’s Encrypt SSL certificate.
Since I don’t want my visitors to encounter any errors when visiting my site I had to renew my SSL certificate. Here are the commands I used to renew my certificate:
Before I run letsencrypt, I temporarily disabled /var/www/html/.htaccess:
# mv /var/www/html/.htaccess /var/www/html/.htaccess_
Run the letsencrypt command:
# /usr/local/letsencrypt/letsencrypt-auto renew --force-renew
with output:
Requesting root privileges to run certbot... /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt renew --force-renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/lucaslouca.com.conf ------------------------------------------------------------------------------- Renewing an existing certificate Performing the following challenges: http-01 challenge for lucaslouca.com Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/lucaslouca.com/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/lucaslouca.com/fullchain.pem (success)
Enabled /var/www/html/.htaccess again:
# mv /var/www/html/.htaccess_ /var/www/html/.htaccess
Finally, go ahead and restart your web server:
# service httpd restart
UPDATE
In case the above method does not work anymore, please try:
# sudo su - # mv /var/www/html/.htaccess /var/www/html/.htaccess_ # rm -rf /opt/eff.org/* # pip install -U certbot # certbot renew --debug # mv /var/www/html/.htaccess_ /var/www/html/.htaccess # service httpd restart
Or use the following commands to create new ones
# certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d fullbeef.com -d www.fullbeef.com -d www.econometrics.io -d econometrics.io
UPDATE 2
If you are hosting multiple websites (WordPress logs, Node.js applications, Jenkins, etc) on the same machine under different domains the easiest way is to have a temporary ssl.conf that you can use when running lets encrypt. I call it ssl_for_lets_encrypt_renewal.conf, it located at /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf and looks like so:
Listen 8443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<virtualhost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</virtualhost>
<virtualhost *:443>
ServerName fizzbuzzer.com
ServerAlias www.fizzbuzzer.com
DocumentRoot "/var/www/"
ErrorLog logs/ssl_fizzbuzzer_error_log
TransferLog logs/ssl_fizzbuzzer_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/vouselle.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vouselle.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/vouselle.com/chain.pem
</virtualhost>
Then while I am in my home directory (/home/ec2-user) I run the following commands:
$ mv /etc/httpd/conf.d/ssl.conf . $ mv ssl_for_lets_encrypt_renewal.conf /etc/httpd/conf.d/ $ service httpd restart $ certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d fullbeef.com -d www.fullbeef.com -d www.econometrics.io -d econometrics.io -d sengiapp.com -d www.sengiapp.com -d grattonnorthmont.com -d www.grattonnorthmont.com -d vouselle.com -d www.vouselle.com // Here I choose the webroot option and set the web root to '/var/www' in the next step. $ mv /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf . $ mv ssl.conf /etc/httpd/conf.d/ $ service httpd restart