Looking for good programming challenges?

Use the search below to find our solutions for selected questions!

Renewing Let’s Encrypt SSL certificate

Sharing is caring!

The other day I have received an email from the Let’s Encrypt Expiry Bot stating that my SSL certificate for the domain name lucaslouca.com is about to expire.

In this post I have extensively described how to setup a WordPress blog on an EC2 instance along with a Let’s Encrypt SSL certificate.

Since I don’t want my visitors to encounter any errors when visiting my site I had to renew my SSL certificate. Here are the commands I used to renew my certificate:

Before I run letsencrypt, I temporarily disabled /var/www/html/.htaccess:

# mv /var/www/html/.htaccess /var/www/html/.htaccess_

Run the letsencrypt command:

# /usr/local/letsencrypt/letsencrypt-auto renew --force-renew

with output:

Requesting root privileges to run certbot...
  /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lucaslouca.com.conf
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lucaslouca.com
Waiting for verification...
Cleaning up challenges

new certificate deployed without reload, fullchain is

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/lucaslouca.com/fullchain.pem (success)

Enabled /var/www/html/.htaccess again:

# mv /var/www/html/.htaccess_ /var/www/html/.htaccess

Finally, go ahead and restart your web server:

# service httpd restart

In case the above method does not work anymore, please try:

# sudo su -
# mv /var/www/html/.htaccess /var/www/html/.htaccess_
# rm -rf /opt/eff.org/*
# pip install -U certbot
# certbot renew --debug
# mv /var/www/html/.htaccess_ /var/www/html/.htaccess
# service httpd restart

Or use the following commands to create new ones

# certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d www.econometrics.io -d econometrics.io

If you are hosting multiple websites (WordPress logs, Node.js applications, Jenkins, etc) on the same machine under different domains the easiest way is to have a temporary ssl.conf that you can use when running lets encrypt. I call it ssl_for_lets_encrypt_renewal.conf, it located at /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf and looks like so:

Listen 8443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<virtualhost *:80>
  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

<virtualhost *:443>
  ServerName fizzbuzzer.com
  ServerAlias www.fizzbuzzer.com

  DocumentRoot "/var/www/"
  ErrorLog logs/ssl_fizzbuzzer_error_log
  TransferLog logs/ssl_fizzbuzzer_access_log
  LogLevel warn

  SSLEngine on
  SSLProtocol all -SSLv3
  SSLProxyProtocol all -SSLv3
  SSLHonorCipherOrder on
  SSLCertificateFile /etc/letsencrypt/live/fizzbuzzer.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/fizzbuzzer.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/fizzbuzzer.com/chain.pem

Then while I am in my home directory (/home/ec2-user) I run the following commands:

$ mv /etc/httpd/conf.d/ssl.conf .
$ mv ssl_for_lets_encrypt_renewal.conf /etc/httpd/conf.d/
$ service httpd restart
$ certbot certonly -d fizzbuzzer.com -d www.fizzbuzzer.com -d www.econometrics.io -d econometrics.io -d sengiapp.com -d www.sengiapp.com

// Here I choose the webroot option and set the web root to '/var/www' in the next step.

$ mv /etc/httpd/conf.d/ssl_for_lets_encrypt_renewal.conf .
$ mv ssl.conf /etc/httpd/conf.d/
$ service httpd restart