Saturday, October 9, 2021

periodic renewal of https letsencrypt certificates

Confirm expiration date of current certificates 
openssl x509 -dates -noout < \
/home/pdg/allofphysics.com/certs/fullchain.pem

Delete existing certs 
sudo rm -rf /etc/letsencrypt/live/derivationmap.net
sudo rm -rf /etc/letsencrypt/renewal/derivationmap.net
sudo rm -rf /etc/letsencrypt/archive/derivationmap.net
Confirm folders are empty
sudo ls -hal /etc/letsencrypt/live/
sudo ls -hal /etc/letsencrypt/renewal/
sudo ls -hal /etc/letsencrypt/archive/

Request new certs 
sudo certbot certonly --webroot \
-w /home/pdg/allofphysics.com/certs \
--server https://acme-v02.api.letsencrypt.org/directory \
-d derivationmap.net -d www.derivationmap.net
To use multiple domains and a single cert, use 
sudo certbot certonly --webroot \
-w /home/pdg/allofphysics.com/certs \
--server https://acme-v02.api.letsencrypt.org/directory \
-d derivationmap.net -d www.derivationmap.net \
-d allofphysics.com -d www.allofphysics.com
Output should be something like 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/derivationmap.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/derivationmap.net/privkey.pem
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Copy new certs to directory that nginx mounts in Docker-compose 
cd /home/pdg/allofphysics.com/certs

mv dhparam.pem dhparam.pem_OLD
mv fullchain.pem fullchain.pem_OLD
mv privkey.pem privkey.pem_OLD

sudo cp /etc/letsencrypt/live/derivationmap.net/fullchain.pem .
sudo cp /etc/letsencrypt/live/derivationmap.net/privkey.pem .
sudo chown pdg:pdg privkey.pem
sudo openssl dhparam -out dhparam.pem 2048

Restart Docker-compose 
cd /home/pdg/allofphysics.com/
docker compose up --build --force-recreate --remove-orphans --detach
If the docker containers are not restarted, the changes made to the file on the host won't take effect.

Verify in a browser that https://derivationmap.net/ has the updated certificate. 

Set a calendar reminder to renew the certificate.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)