Skip to content
This repository has been archived by the owner on Jan 18, 2020. It is now read-only.

Updating Let's Encrypt

ErrorsAndGlitches edited this page Oct 19, 2018 · 15 revisions

Updating Let's Encrypt is not trivial and their cert-auto is not as auto as one would desire. The certificates last some finite period of time so one day, they will need to be updated. Here are the steps that will save you from destroying all you hold dear.

The first incorporation of Let's Encrypt certificates was performed in Issue-17, which the follow steps are based on. Another thing to note is that the cert-auto renew command didn't work for me. I can't express how surprised I was.

Note that if the server already has a valid production let's encrypt certificate, you should not try testing with a staging as this could break the cert. Read through the instructions, but skip to step 6.

  1. ssh into the server - all the work is done there.
  2. Download the cert-auto script to the host from certbot installation page. Put it in the home directory. It might even be there for you, already.
  3. Let's start with the staging environment of Let's Encrypt to make sure we don't mess up prod. There is also a max failure rate for prod Let's Encrypt, so this is an all-around good approach. To download the certs (remember to specify your email - the WAISN list email gets bounced):
sudo ./certbot-auto \
   --manual \
   --staging \
   -m YOUR_EMAIL_HERE \
   -d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
   certonly 
  1. You will be asked to put text in a specific file that is accessible by any HTTP Client. For example, it will look like this:
Create a file containing just this data:

T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o.k7GTgAWtklLgS1fSLg36jJPkXl0VyHgvQCm_9DqQJe4

And make it available on your web server at this URL:

http://rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/.well-known/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o

The WSGI.conf has been configured to alias the path to a public folder on the host. Specifically, create the file and put the information at the path:

/opt/python/current/app/public/static/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o
  1. Test the URL provided by cert-auto to perform a sanity check that it works.
  2. Then press enter and it should succeed!
  3. Cool. Now that staging is configured, let's use the production version. It's the same command as above sans --staging. Specifically:
sudo ./certbot-auto \
   --manual \
   -m YOUR_EMAIL_HERE \
   -d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
   certonly 
  1. The next step is to import the certs into AWS Cert Manager. The output will indicate where the certs were installed:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/privkey.pem
   Your cert will expire on 2018-01-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
  1. scp the fullchain.pem and privkey.pem certs to your local machine. You will need to move it into another directory first because the directory it is in is protected. Remember to delete the copied file after scp'ing it over to your local host.
  2. Open AWS Certificate Manager in the AWS Console.
    1. Click the Let's Encrypt Prod certificate.
    2. Click Reimport certificate
    3. Copy the first certificate in fullchain.pem and paste it into the Certificate body box.
    4. Copy the entire contents in fullchain.pem and paste it into the Certificate chain box.
    5. Copy the contents of the privkey.epm and paste it into the Certificate private key box.
    6. Click Review and import
    7. The review should show the new cert. Make sure that the domain makes sense. The Expires in should be about 89 days. If you are satisfied, click Import.
Clone this wiki locally