Created certificates using --work-dir flag. So all of my certs are stored in a directory that is not the default letsencrypt directory. When I run certbot renew, I get the following:
No renewals were attempted.
I can't find documentation anywhere that explains how I would indicate where the certs are that need renew. Anyone have any idea on this?
I believe I solved my own issue. So, for anyone that runs into this here is my scenario.
On initial creation I used certonly and --config-dir, work-dir, logs-dir and the -w flag.
Once I included all of those flags to the renew command and the appropriate directories the command worked as expected.
I'm not sure if all of those flags are necessary but including them made it work for me.
Related
I have already successfully installed certbot and have a working digital certificate. I was wondering how do I go about adding domain names to the certificate or do I need to recreate the certificate again?
I don't want to mess up the existing certificate. I haven't tried running this code yet I want to verify the process before I continue. I tried searching this and Google and my results were kind of confusing.
sudo certbot –apache -d mydomain.xyz -d mydomain2.xyz -d www.mydomain.xyz
SSL certificates cannot be modified once issued. They can be replaced with new certificates.
If you run the identical or modified certbot command, your existing certificate will not be modified or deleted. The certbot command will create a new certificate and store the certificate under a different name. Certbot stores certificates and additional files under the directory tree /etc/letsencrypt. You can archive/backup those files. Look at the archive and live folders.
Typically, your webserver will use symbolic links to point to the Let's Encrypt folder instead of copying the certificate to an Apache/Nginx folder.
My website keeps getting "NET::ERR_CERT_DATE_INVALID" error.
I have renewed the certificate using:
sudo certbot certonly --webroot -w /var/www/html -d startuplab.io
and have restarted nginx.
It used to work fine before, my other websites work fine as well.
How do I figure out what went wrong?
Edit:
This tool shows me that certificate expired 21 days ago.
Letsencrypt tells me:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/startuplab.io-0001/fullchain.pem. Your cert
will expire on 2019-05-22. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
Edit 2:
Aha! My ssl-startuplab.io.conf snippet points to
ssl_certificate /etc/letsencrypt/live/startuplab.io/fullchain.pem;
but certbot has put it into
ssl_certificate /etc/letsencrypt/live/startuplab.io-0001/fullchain.pem;
Does anybody know why this happens? What should I do to fix this and avoid it in the future?
Edit 3:
Just renaming the startuplab.io-0001 folder into startuplab.io fixed the issue. But why did this happen to begin with? How do I make sure it never happens again? I'd appreciate any advice!
For your edit 3, from https://certbot.eff.org/docs/using.html#renewing-certificates emphasis added:
An alternative form that provides for more fine-grained control over the renewal process (while renewing specified certificates one at a time), is certbot certonly with the complete set of subject domains of a specific certificate specified via -d flags. ...
All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather than obtaining a new one; don’t forget any www. domains! Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate. When run with a set of domains corresponding to an existing certificate, the certonly command attempts to renew that specific certificate.
Your old cert was for startuplab.io AND webacademy.io -- not only the former.
I developed an application for a client which I host on a subdomain, now the problem is that I don't own the main domain/website. They've added a DNS record to point to the IP on which I host that app. Now I want to request a Free & automatic certificate from Let's Encrypt. But when I try the handshake it says
Getting challenge for subdomain.example.com from acme-server...
Error: http://subdomain.example.com/.well-known/acme-challenge/letsencrypt_**** is not reachable. Aborting the script.
dig output for subdomain.example.com:subdomain.example.com
Please make sure /.well-known alias is setup in WWW server.
Which makes sense cause I don't own that domain on my server. But if I try to generate it without the main domain I get:
You must include your main domain: example.com.
Cannot Execute Your Request
Details
Must include your domain example.com in the LetsEncrypt entries.
So I'm curious on how I can just set up a certificate without owning the main domain. I tried googling the issue but I couldn't find any relevant results. Any help would be much appreciated.
First
You don't need to own the domain, you just need to be able to copy a file to the location serving that domain. (You're all set there it sounds like)
Second
What tool are you using? The error message you gave makes me think the client is misconfigured. The challenge name is usually something like https://example.com/.well-known/acme-challenge/jQqx6qlM8u3wpi88N6lwvFd7SA07oK468mB1x4YIk1g. Compare that to your error:
Error: http://example.com/.well-known/acme-challenge/letsencrypt_example.com is not reachable. Aborting the script.
Third
I'm the author of Greenlock, which is compatible with Let's Encrypt. I'm confident that it will work for you.
Install
# Feel free to read the source first
curl -fsS https://get.greenlock.app/ | bash
Usage with existing webserver:
Let's say that:
You're using Apache or Nginx.
You confirm that ping example.com gives the IP of your server
You're exposing http on port 80 (otherwise verification will fail)
Your website is located in /srv/www/example.com
Your email is jon#example.com (must be a real email address)
You want to store your certificate as /etc/acme/live/example.com/fullchain.pem
This is what the command would look like:
sudo greenlock certonly --webroot \
--acme-version draft-11 --acme-url https://acme-v02.api.letsencrypt.org/directory \
--agree-tos --email jon#example.com --domains example.com \
--community-member \
--root /srv/www/example.com \
--config-dir /etc/acme
If that doesn't work on the first try then change out --acme-url https://acme-v02.api.letsencrypt.org/directory for --acme-url https://acme-staging-v02.api.letsencrypt.org/directory while you debug. Otherwise your server could become blocked from Let's Encrypt for too many bad requests. Just know that you'll have to delete the certificates from the staging environment and retry with the production url since the tool cannot tell which certificates are "production" and which ones are "testing".
The --community-member flag is optional, but will provide me with analytics and allow me to contact you about important or mandatory changes as well as other relevant updates.
After you get the success message you can then use those certificates in your webserver config and restart it.
That will work as a cron job as well. You could run it daily and it will only renew the certificate after about 75 days. You could also put a cron job to send the "update configuration" signal to your webserver (normally HUP or USR1) every few days to cause it to start using the new certificates without even restarting (...or just have it restart).
Usage without a web server
If you just want to quickly test without even having a webserver running, this will do it for you:
sudo greenlock certonly --standalone \
--acme-version draft-11 --acme-url https://acme-v02.api.letsencrypt.org/directory \
--agree-tos --email jon#example.com --domains example.com \
--community-member \
--config-dir /etc/acme/
That runs expecting that you DO NOT have a webserver running on port 80, as it will start one temporarily just for the purpose of the certificate.
sudo is required for using port 80 and for writing to root and httpd-owned directories (like /etc and /srv/www). You can run the command as your webserver's user instead if that has the correct permissions.
Use Greenlock as your webserver
We're working on an option to bypass the middleman altogether and simply use greenlock as your webserver, which would probably work great for simple vhosting like it sounds like you're doing. Let me know if that's interesting to you and I'll make sure to update you about it.
Fourth
Let's Encrypt also has an official client called certbot which will likely work just as well, perhaps better, but back in the early days it was easier for me to build my own than to use theirs due to issues which they have long since fixed.
Whats important is the sub domains A record. It should be the IP Address of from where you are trying to request the sub domains certificate.
I followed this guide to set-up Let's Encrypt https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
I created the certificate for one of my sites using:
sudo -H ./letsencrypt-auto certonly --standalone -d example.com
and now need to add it to Apache. I started following this guide but it lists different certificate extensions.
I've just found the following article https://www.upcloud.com/support/install-lets-encrypt-apache/ which seems like a more straight forward process.
What's the best way to remove what I've done so far and go this alternative route?
I followed this guide https://certbot.eff.org/#debianjessie-apache
and when it took me through the install process it allowed me to update the existing certificate.
I am trying to understand the process of installing a letsencrypt certificate on Apache on Centos.
I have read the installation instructions, cloned the git repository, and there I’m stuck.
Has anybody had experience with this and what to do next?
Thanks
You didn't really make it clear what your error was, but I'll take a guess and say that you left off with cloning the Git repository.
From here, you'll need to run some commands with the letsencrypt-auto program that you just cloned to actually obtain a certificate and install it. Let's Encrypt and their automatic configuration feature isn't necessarily stable yet, so I recommend running the command to only obtain a certificate, then manually configure SSL yourself. Head into the directory that you cloned the Git repository to and run the following commands:
chmod +x letsencrypt-auto
./letsencrypt-auto certonly
Let's Encrypt will begin to download its dependencies and a prompt will finally appear requesting which domains you want a certificate for. Just fill it in and press enter. If all goes well, you'll get an output that looks similar to this:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your
cert will expire on 2016-03-08. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
This path will differ from my path since I'm running Ubuntu 14.04. Note the path to the folder, which will hold all of the files you need. Now, head into your Apache configuration and edit the configuration file to link to the SSL certificates that you just created, restart Apache, and you should be good to go!
If you need any further instructions, let me know.