Skip to content
This repository has been archived by the owner on Jan 18, 2020. It is now read-only.

Updating Let's Encrypt

Jump to bottom
ErrorsAndGlitches edited this page Oct 26, 2017 · 15 revisions

Updating Let's Encrypt is not trivial and their cert-auto is not as auto as one would desire. The certificates last some finite period of time so one day, they will need to be updated. Here are the steps that will save you from destroying all you hold dear.

The first incorporation of Let's Encrypt certificates was performed in Issue-17, which the follow steps are based on. Another thing to note is that the cert-auto renew command didn't work for me. I can't express how surprised I was.

  1. Download the cert-auto script to the host from certbot installation page. Put it in the home directory. It might even be there for you, already.
  2. Let's start with the staging environment of Let's Encrypt to make sure we don't mess up prod. There is also a max failure rate for prod Let's Encrypt, so this is an all-around good approach. To download the certs (remember to specify your email - the WAISN list email gets bounced):
sudo ./certbot-auto \
   --manual \
   --staging \
   -m YOUR_EMAIL_HERE \
   -d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
   certonly

2.1. You will be asked to put text in a specific file that is accessible by any HTTP Client. For example, it will look like this:

Create a file containing just this data:

T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o.k7GTgAWtklLgS1fSLg36jJPkXl0VyHgvQCm_9DqQJe4

And make it available on your web server at this URL:

http://rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/.well-known/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o

The WSGI.conf has been configured to alias the path to a public folder on the host. Specifically, create the file and put the information at the path:

/opt/python/current/app/public/static/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o

2.2. Test the URL provided by cert-auto to perform a sanity check that it works. 2.2. Then press enter and it should succeed! 3. Cool. Now that staging is configured, let's use the production version. It's the same command as above sans --staging. Specifically:

sudo ./certbot-auto \
   --manual \
   -m YOUR_EMAIL_HERE \
   -d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
   certonly
Clone this wiki locally