-
Notifications
You must be signed in to change notification settings - Fork 1
Updating Let's Encrypt
Updating Let's Encrypt is not trivial and their cert-auto
is not as auto
as one would desire. The certificates last some finite period of time so one day, they will need to be updated. Here are the steps that will save you from destroying all you hold dear.
The first incorporation of Let's Encrypt certificates was performed in Issue-17, which the follow steps are based on. Another thing to note is that the cert-auto renew
command didn't work for me. I can't express how surprised I was.
Note that if the server already has a valid production let's encrypt certificate, you should not try testing with a staging as this could break the cert. Read through the instructions, but skip to step 6.
-
ssh
into the server - all the work is done there. - Download the
cert-auto
script to the host from certbot installation page. Put it in the home directory. It might even be there for you, already. - Let's start with the staging environment of Let's Encrypt to make sure we don't mess up prod. There is also a max failure rate for prod Let's Encrypt, so this is an all-around good approach. To download the certs (remember to specify your email - the WAISN list email gets bounced):
sudo ./certbot-auto \
--manual \
--staging \
-m YOUR_EMAIL_HERE \
-d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
certonly
- You will be asked to put text in a specific file that is accessible by any HTTP Client. For example, it will look like this:
Create a file containing just this data:
T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o.k7GTgAWtklLgS1fSLg36jJPkXl0VyHgvQCm_9DqQJe4
And make it available on your web server at this URL:
http://rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/.well-known/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o
The WSGI.conf
has been configured to alias the path to a public folder on the host. Specifically, create the file and put the information at the path:
/opt/python/current/app/public/static/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o
- Test the URL provided by
cert-auto
to perform a sanity check that it works. - Then press enter and it should succeed!
- Cool. Now that staging is configured, let's use the production version. It's the same command as above sans
--staging
. Specifically:
sudo ./certbot-auto \
--manual \
-m YOUR_EMAIL_HERE \
-d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
certonly
- The next step is to import the certs into AWS Cert Manager. The output will indicate where the certs were installed:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/privkey.pem
Your cert will expire on 2018-01-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
-
scp
thefullchain.pem
andprivkey.pem
certs to your local machine. You will need to move it into another directory first because the directory it is in is protected. Remember to delete the copied file after scp'ing it over to your local host. - Open AWS Certificate Manager in the AWS Console.
- Click the Let's Encrypt Prod certificate.
- Click Reimport certificate
- Copy the first certificate in
fullchain.pem
and paste it into the Certificate body box. - Copy the entire contents in
fullchain.pem
and paste it into the Certificate chain box. - Copy the contents of the
privkey.epm
and paste it into the Certificate private key box. - Click Review and import
- The review should show the new cert. Make sure that the domain makes sense. The Expires in should be about 89 days. If you are satisfied, click Import.