Satellite internet
Home page

To miscellaneous index page
Misc index

Acceleration software

Embedded YouTube video not working on iPad problem

How to center facebook buttons

Satsig satellite speed tester

Feedback about speed tester

Renewing Letsencrypt certificates

This is the procedure we have used to successfully renew letsencrypt certificates, which we obtained from https://letsencrypt.org/.

The Oracle Linux server, with Apache, has 3 web sites with https certificates, called a, b and c below. The first command (in bold below) shows what it there now. In this case the certificates are two months old and have 27 days to go before expiry. You need to be logged in as root.

[root@localhost ~]# /opt/certbot/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:

Certificate Name: a.art
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: a.art
Expiry Date: 2020-07-12 17:43:16+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/a.art/fullchain.pem
Private Key Path: /etc/letsencrypt/live/a.art/privkey.pem

Certificate Name: www.c.org.uk
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: www.c.org.uk
Expiry Date: 2020-07-12 17:42:27+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/www.c.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.c.org.uk/privkey.pem

Certificate Name: www.b.net
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: www.b.net
Expiry Date: 2020-07-12 17:43:49+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/www.b.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.b.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It is helpful to run the above command from time to time so that you are well aware of when the certificates will expire as you must renew them before they expire.  When you input the second command (below in bold) the certificate renewal process seems to happen by magic. You now have new certificates, each valid for 89 days and each saved into the respective letsencrypt directory locations corresponding to each web site, e.g. /etc/letsencrypt/live/www.example.com/.

[root@localhost ~]# /opt/certbot/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/a.art.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.art
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/a.art/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.c.org.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.c.org.uk
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.c.org.uk/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.b.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.b.net
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.b.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/a.art/fullchain.pem (success)
/etc/letsencrypt/live/www.c.org.uk/fullchain.pem (success)
/etc/letsencrypt/live/www.b.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The new certificates need to be made active in the running Apache server. First check that config syntax has not been corrupted. This command is recommended after any config changes before you restart Apache.

[root@localhost ~]# apachectl configtest
Syntax OK

Now restart the Apache server so that it loads the new certificates as it gets going.  There will be a short outage while the server does not respond to incoming requests, so some visitors will get errors. If critical, do this upgrade at the lowest traffic time of day.

[root@localhost ~]# apachectl restart

[root@localhost ~]#

Once you get the [root@localhost ~]# you know that the server has restarted. Check by calling a web page.

You can now do a routine check that the new certificates are being used in the running Apache server.


[root@localhost ~]# /opt/certbot/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:

Certificate Name: a.art
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: a.art
Expiry Date: 2020-09-13 04:13:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/a.art/fullchain.pem
Private Key Path: /etc/letsencrypt/live/a.art/privkey.pem

Certificate Name: www.c.org.uk
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: www.c.org.uk
Expiry Date: 2020-09-13 04:13:41+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.c.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.c.org.uk/privkey.pem

Certificate Name: www.b.net
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Domains: www.b.net
Expiry Date: 2020-09-13 04:13:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.b.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.b.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The above is the same as what you saw at the beginning, except that the new certificates have different Serial Numbers and are shown with expiry date +89 days ahead.

I hope the above helps you.  Send me an email




Page started: 7 August 2020, updated 16 Aug 2020

Copyright Satellite Signals Limited © 2020 all rights reserved.