www.satsig.net
Home page

Misc index

Acceleration software

Embedded YouTube video not working on iPad problem

How to center facebook buttons

WG111.v3 driver for Windows 10

Satsig satellite speed tester

Feedback about speed tester

Flight navigation computer

How to use GIMP

Renewing Letsencrypt certificates

This is the procedure we have used to successfully renew letsencrypt certificates, which we obtained from https://letsencrypt.org/.

Before attempting to renew your SSL certificates you may wish to download (using FTP, or SFTP) read and familiarise yourself with the content of the following files:

var/log/letsencrypt/letsencrypt.log

etc/letsencrypt/live/www.example.com/cert.pem, privkey.pem, chain.pem, cert.pem, README

etc/letsencrypt/renewal/www.example.com.conf    All rw-r--r--

The Oracle Linux server, with Apache, has 3 web sites with https certificates, called a, b and c below. The first command (in bold below) shows what it there now, according to the details in the renewal configuration files in directory etc/letsencrypt/renewal/. If results are not as expected check all these .conf files. This first command does not simply read all the certificates in etc/letsencrypt/live/ but reports only for those certificates mentioned in etc/letsencrypt/renewal/.

In this case the certificates are two months old and have 27 days to go before expiry. You need to be logged in. Use PuTTY, your IP address, Port 22, SSH. You need root privileges. You need to do the renewal within the last 30 days before expiry.

[root@localhost ~]# /opt/certbot/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:

Certificate Name: a.art
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: a.art
Expiry Date: 2020-07-12 17:43:16+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/a.art/fullchain.pem
Private Key Path: /etc/letsencrypt/live/a.art/privkey.pem

Certificate Name: www.c.org.uk
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: www.c.org.uk
Expiry Date: 2020-07-12 17:42:27+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/www.c.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.c.org.uk/privkey.pem

Certificate Name: www.b.net
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: www.b.net
Expiry Date: 2020-07-12 17:43:49+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/www.b.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.b.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It is helpful to run the above command from time to time so that you are well aware of when the certificates will expire as you must renew them before they expire.  When you input the second command (below in bold) the certificate renewal process should happen. You now have new certificates, each valid for 89 days and each saved into the respective letsencrypt directory locations corresponding to each web site, e.g. /etc/letsencrypt/live/www.example.com/.

[root@localhost ~]# /opt/certbot/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/a.art.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.art
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/a.art/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.c.org.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.c.org.uk
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.c.org.uk/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.b.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.b.net
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.b.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/a.art/fullchain.pem (success)
/etc/letsencrypt/live/www.c.org.uk/fullchain.pem (success)
/etc/letsencrypt/live/www.b.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The new certificates need to be made active in the running Apache server. First check that config syntax has not been corrupted. This command is recommended after any config changes before you restart Apache.

Note added 2 May 2022

# Regarding the SSL content within the .conf file:
# This depends on your Apache version.

# SSL Directives for Apache Versions
# Apache < 2.4.8 needs cert.pem, privkey.pem and chain.pem, like so:

# SSLEngine on
# SSLCertificateFile /etc/letsencrypt/live/www.c.org.uk/cert.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/www.c.org.uk/privkey.pem
# SSLCertificateChainFile /etc/letsencrypt/live/www.c.org.uk/chain.pem

# SSLCertificateChainFile became obsolete with Version 2.4.8

# SSL Directives for Apache Versions >= 2.4.8

# Apache 2.4.8 needs fullchain.pem and privkey.pem, like so:

# SSLEngine on
# SSLCertificateFile /etc/letsencrypt/live/www.c.org.uk/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/www.c.org.uk/privkey.pem

# Remove the hash characters in the 4 or 3 lines above to suit your version of Apache
------------------------------------------------------------------------------------

[root@localhost ~]# apachectl configtest
Syntax OK

Now restart the Apache server so that it loads the new certificates as it gets going.  There will be a short outage while the server does not respond to incoming requests, so some visitors will get errors. If critical, do this upgrade at the lowest traffic time of day.

There is a way to reload the Apache config and ssl config, without interrupting service.

[root@localhost ~]# apachectl graceful

or

[root@localhost ~]# apachectl restart

[root@localhost ~]#

Once you get the [root@localhost ~]# you know that the server has restarted. Check by calling web pages.

You can now do a routine check that the new certificates are being used in the running Apache server.


[root@localhost ~]# /opt/certbot/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:

Certificate Name: a.art
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: a.art
Expiry Date: 2020-09-13 04:13:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/a.art/fullchain.pem
Private Key Path: /etc/letsencrypt/live/a.art/privkey.pem

Certificate Name: www.c.org.uk
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: www.c.org.uk
Expiry Date: 2020-09-13 04:13:41+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.c.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.c.org.uk/privkey.pem

Certificate Name: www.b.net
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: www.b.net
Expiry Date: 2020-09-13 04:13:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.b.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.b.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The above is the same as what you saw at the beginning, except that the new certificates have different Serial Numbers and are shown with expiry date +89 days ahead.

Access your web sites using Chrome browser, More tools, Developer Tools and select Security. Refresh your Chrome browser cache if necessary. You can read all about your certificates here, as seen by Google.

Also test your website using https://www.ssllabs.com/ssltest/  Hopefully you will get an A rating. If not, investigate.

I hope the above helps you.  Send me an email


Page started: 7 August 2020, updated 21 Feb 2024.

Copyright Satellite Signals Limited © 2020 all rights reserved.