Physics Derivation Graph: certificates

Saturday, October 9, 2021

periodic renewal of https letsencrypt certificates

Confirm expiration date of current certificates

openssl x509 -dates -noout < \
/home/pdg/allofphysics.com/certs/fullchain.pem

Delete existing certs

sudo rm -rf /etc/letsencrypt/live/derivationmap.net
sudo rm -rf /etc/letsencrypt/renewal/derivationmap.net
sudo rm -rf /etc/letsencrypt/archive/derivationmap.net

Confirm folders are empty

sudo ls -hal /etc/letsencrypt/live/
sudo ls -hal /etc/letsencrypt/renewal/
sudo ls -hal /etc/letsencrypt/archive/

Request new certs

sudo certbot certonly --webroot \
-w /home/pdg/allofphysics.com/certs \
--server https://acme-v02.api.letsencrypt.org/directory \
-d derivationmap.net -d www.derivationmap.net

To use multiple domains and a single cert, use

sudo certbot certonly --webroot \
-w /home/pdg/allofphysics.com/certs \
--server https://acme-v02.api.letsencrypt.org/directory \
-d derivationmap.net -d www.derivationmap.net \
-d allofphysics.com -d www.allofphysics.com

Output should be something like

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/derivationmap.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/derivationmap.net/privkey.pem
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Copy new certs to directory that nginx mounts in Docker-compose

cd /home/pdg/allofphysics.com/certs

mv dhparam.pem dhparam.pem_OLD
mv fullchain.pem fullchain.pem_OLD
mv privkey.pem privkey.pem_OLD

sudo cp /etc/letsencrypt/live/derivationmap.net/fullchain.pem .
sudo cp /etc/letsencrypt/live/derivationmap.net/privkey.pem .
sudo chown pdg:pdg privkey.pem
sudo openssl dhparam -out dhparam.pem 2048

Restart Docker-compose

cd /home/pdg/allofphysics.com/
docker compose up --build --force-recreate --remove-orphans --detach

If the docker containers are not restarted, the changes made to the file on the host won't take effect.

Verify in a browser that https://derivationmap.net/ has the updated certificate.

Set a calendar reminder to renew the certificate.

Sunday, August 9, 2020

my first certificate expiration

Update: concise instructions

This morning I was greeted with this warning from Chrome when visiting https://derivationmap.net

The error message indicated my certificates had expired.

I SSH'd into my DigitalOcean node and ran a scan of the certs that certbot can find

$ sudo certbot renew
----------------------
Processing /etc/letsencrypt/renewal/derivationmap.net.conf
----------------------
Cert not yet due for renewal
----------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/derivationmap.net/fullchain.pem expires on 2020-10-08 (skipped)
No renewals were attempted.

However, when I run a manual scan of the certs used by my site,

$ openssl x509 -dates -noout < /home/pdg/proofofconcept/v7_pickle_web_interface/certs/fullchain.pem
notBefore=May 11 15:26:19 2020 GMT
notAfter=Aug  9 15:26:19 2020 GMT

The corresponds with the command history entry from 2020-05-11,

sudo certbot certonly --webroot \
-w /home/pdg/proofofconcept/v7_pickle_web_interface/certs \
--server https://acme-v02.api.letsencrypt.org/directory \
-d derivationmap.net -d www.derivationmap.net

Solution