/ Ghost

Time to renew my LetsEncrypt SSL certificate

This blog is soon about three months old. I chose to use SSL certificates from LetsEncrypt. LetsEncrypt issues the certificates for free, but the certificates' lifetime is limited to three months.

So my today's exercise is to figure out how to renew my certificates. At the moment I assume this will be quick and easy, but let's see.

As a reminder, yesterday I received an email from the Let's Encrypt Expiry Bot:

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 28 May 18 18:13 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

blog.nopunen.fi

...additional stuff deleted...

Regards,
The Let's Encrypt Team

Let's Encrypt together with EFF provide tools for issueing and renewing certificates. The tool is named certbot, see here.

Reading the documentation of certbot for Nginx on Ubuntu advises me to

sudo certbot renew

Note that I already have certbot installed, since I have used it earlier to get my certificate.

But before I do, I can do a test run:

sudo certbot renew --dry-run

Running this gives me an error and the test run fails. The reason is that the challenges used in renewing my certificates use HTTP protocol and not HTTPS and at the moment I have totally disabled HTTP on my site.

So my first thought is that I need to enable HTTP temporarily. So let's see how would I do that. But first I do a quick Google search and find out there are others with the same issue. For example, see here.

Well, enabling HTTP temporarily would have been ok, but kind of clumsy. A better idea is to redirect all HTTP traffic to HTTPS, which is good for site's user experience as well.

Into my Nginx configuration file I add a section regarding the redirect:

server {
    listen 80;
    listen [::]:80;
    server_name blog.nopunen.fi; 
    return 301 https://blog.nopunen.fi$request_uri;
}

Later, I may enhance the above for additional redirects. To take the config changes into effect, I stop and start Nginx:

sudo systemctl stop nginx
sudo systemctl start nginx

Now I should be ready to try certbot again:

sudo certbot certonly --dry-run

This gives me no erros, so:

sudo certbot certonly

and I have my certificate renewed. Great! I restart Nginx and I'm done.

Next time its August when I need to renew, and the above command should suffice. But when the next time comes, I will probably setup a cron job to automate the process.

Thanks for reading.