I have just copied a SSL certificate (generated via let's encrypt certbot) from one server (A) to another (B). So, I have created a custom directory in my new server, let's say /home/my-certificate/, and copied the fullchain.pem and privkey.pem from (A) to (B). Everything works, the server is alive, the certificate are OK. Now I want to enable auto-renew on the new server (B). How can I do that?
Two good options stand out
Copy the Let's Encrypt certbot metadata from A to B as well, then install and continue to use certbot to renew as usual. This metadata is kept in /etc/letsencrypt/ and it tracks how your certificate was issued, from which certbot will conclude how it should renew it.
OR
Install certbot and perform a fresh certificate request on B, any time between now and when the existing certificate would expire. Assuming the certificate is for the exact same list of FQDNs this will only count against the per-certificate limit of 5 such requests per week, which is fine unless you're going to do this transition every day or you keep screwing it up and having to try again.
You need to copy letsencrypt renewal config to the new server, and then modify nginx config to point to the new, custom location: /home/my-certificate/
I would suggest moving your certs to the exact same location on the new server, in this case, you can just copy and paste certs and config without any modification.
Here is the list of steps:
Archive certificates on the old servers
Move them to a new server
Extract to the correct location
Create symlinks
Redirect domain
Based on this article
In addition to Druss's answer, a few more steps to be followed.
The solution provided will encounter problems when you try to renew the certificate.
To resolve this issue, a new certbot account should be registered, and conf file should be edited pointing to the new account. I followed the steps provided in this link.
Related
I have already successfully installed certbot and have a working digital certificate. I was wondering how do I go about adding domain names to the certificate or do I need to recreate the certificate again?
I don't want to mess up the existing certificate. I haven't tried running this code yet I want to verify the process before I continue. I tried searching this and Google and my results were kind of confusing.
sudo certbot –apache -d mydomain.xyz -d mydomain2.xyz -d www.mydomain.xyz
SSL certificates cannot be modified once issued. They can be replaced with new certificates.
If you run the identical or modified certbot command, your existing certificate will not be modified or deleted. The certbot command will create a new certificate and store the certificate under a different name. Certbot stores certificates and additional files under the directory tree /etc/letsencrypt. You can archive/backup those files. Look at the archive and live folders.
Typically, your webserver will use symbolic links to point to the Let's Encrypt folder instead of copying the certificate to an Apache/Nginx folder.
I'm not even sure I asked the question right...
I have three servers running minio in distributed mode. I need all three servers to run with TLS enabled. It's easy enough to run certbot, generate a cert for each node, drop said certs into /etc/minio/certs/ and go! but here's where I start running into issues.
The servers are thus:
node1.files.example.com
node2.files.example.com
node3.files.example.com
I'm launching minio using the following command:
MINIO_ACCESS_KEY=minio \
MINIO_SECRET_KEY=secret \
/usr/local/bin/minio server \
-C /etc/minio --address ":443" \
https://node{1...3}.files.example.com:443/volume/{1...4}/
This works and I am able to connect to all three servers from a webbrowser using https with good certs. however, users will connect to the server using the parent domain "files.example.com" (using distributed DNS)
I already ran certbot and generated the certs for the parent domain... and I copied the certs into /etc/minio/certs/ as well as /etc/minio/certs/CAs/ (calling both files "files.example.com-public.crt" and "files.example.com-public.key" respectively)... this did not work. when I try to open the parent domain "files.example.com" I get a cert error (chich I can bypass) indicating the certificate is for the node in which I have connected and not for the parent domain.
I'm pretty sure this is just a matter of putting the cert in the right place and naming it correctly... right? does anyone know how to do that? I also have an idea there might be a way to issue a cert that covers multiple domains... is that how I'm supposed to do this? how?
I already hit up minio's slack channel and posted on their github, but no ones replying to me. not even, "this won't work."
any ideas?
I gave up and ran certbot in manual mode. it had to install apache on one of the nodes, then certbot had me jump through a couple of minor hoops (namely it had me create a new txt record with my DNS provider, and then create a file with a text string on the server for verification). I then copied the created certs into my minio config directory (/etc/minio/certs/) on all three nodes. that's it.
to be honest, I'd rather use the plugin as it allows for an automated cert renewal, but I'll live with this for now.
You could also run all of them behind a reverse proxy to handle the TLS termination using a wildcard domain certificate (ie. *.files.example.com). The reverse proxy would centralize the certificates, DNS, and certbot script if you prefer, etc to a single node, essentially load balancing the TLS and DNS for the minio nodes. The performance hit of "load-balancing" TLS like this may be acceptable depending on your workload, considering the simplification to your current DNS and TLS cert setup.
[Digital Ocean example using nginx and certbot plugins] https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot
My website keeps getting "NET::ERR_CERT_DATE_INVALID" error.
I have renewed the certificate using:
sudo certbot certonly --webroot -w /var/www/html -d startuplab.io
and have restarted nginx.
It used to work fine before, my other websites work fine as well.
How do I figure out what went wrong?
Edit:
This tool shows me that certificate expired 21 days ago.
Letsencrypt tells me:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/startuplab.io-0001/fullchain.pem. Your cert
will expire on 2019-05-22. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
Edit 2:
Aha! My ssl-startuplab.io.conf snippet points to
ssl_certificate /etc/letsencrypt/live/startuplab.io/fullchain.pem;
but certbot has put it into
ssl_certificate /etc/letsencrypt/live/startuplab.io-0001/fullchain.pem;
Does anybody know why this happens? What should I do to fix this and avoid it in the future?
Edit 3:
Just renaming the startuplab.io-0001 folder into startuplab.io fixed the issue. But why did this happen to begin with? How do I make sure it never happens again? I'd appreciate any advice!
For your edit 3, from https://certbot.eff.org/docs/using.html#renewing-certificates emphasis added:
An alternative form that provides for more fine-grained control over the renewal process (while renewing specified certificates one at a time), is certbot certonly with the complete set of subject domains of a specific certificate specified via -d flags. ...
All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather than obtaining a new one; don’t forget any www. domains! Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate. When run with a set of domains corresponding to an existing certificate, the certonly command attempts to renew that specific certificate.
Your old cert was for startuplab.io AND webacademy.io -- not only the former.
My SSL from Let's Encrypt has been expired. Rather than using the Lets Encrypt I want to use the on from Amazon it self. There are two questions:
1) How to remove the existing expired certificate.
2) How to install from Amazon.
Checked the various forums which say install Let's Encrypt. But not, how to remove expired one.
Any one, Help?
Assuming you are using apache on linux.
1)
certbot delete
will help you to delete the let's encrypt cert. Ref
2)
Update cert file paths from default-ssl.conf [or whatever the file if you manually setup] inside /etc/apache2/sites-available/ with the one you bought from amazon.
via Namecheap I have my SSL certificates (POSITIVESSL Comodo) which run on my Nginx webserver to offer https to my clients. This worked like a charm until my certificate expired.
Now I tried to install a new certificate, but whatever I try, the old one is being loaded.
What I did.
Removed all the old certificate files (.key, .crt, .csr)
Using this tutorial creating a new key files.
Entered that file into the Namecheap SSL panel to generate new SSL certificates (which arrived, and show to be valid from 11/26/2012 to 12/26/2013.
Go to my certificates directory, put in the 3 .crt files I got.
Using this tutorial i bundled all the .crt files into 1 .pem file.
Check my nginx.conf to confirm all the paths to the .key & .pem file are correct
Restart nginx
I even tried to change the file names, to ensure they cannot conflict with the old ones, but still my old certificates are being loaded. I have used tools like: http://www.digicert.com/help/ to test the certs, also there the old ones are still being loaded.
Apart from Nginx, should I restart anything else to ensure the new files are being loaded correctly?
Issue has been resolved, the DDOS protection proxy also needed to be updated.