WebSeitz/wiki

(2021-10-17) Renewing SSL

Despite referring to plugin at (2021-07-20) Renewing SSL, I decided to stubbornly do it by hand 1 more time.

  • Remember to do sudo:
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual --preferred-challenges dns -d 'flux.garden,*.flux.garden'
  • in entering the TXT entry in the DigitalOcean UI, it looks like just need to enter _acme-challenge in the hostname field, and it fills in the .flux.garden part on its own. Or at least that's how the UI shows it.
  • either way getting weird varieties of rejections from the LetsEncrypt CLI
  • and finally hit a rate limit on fails.
  • So I might as well try the plugin.

Trying plug

  • sudo apt install python3-certbot-dns-digitalocean
  • per instructions create API token named certbot
  • create diretories/file ~/.secrets/certbot/digitalocean.ini to contain dns_digitalocean_token = <token>
  • do
sudo certbot certonly \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
  --dns-digitalocean-propagation-seconds 60 \
  -d flux.garden \
  -d *.flux.garden
  • response
Unsafe permissions on credentials configuration file: /home/bill/.secrets/certbot/digitalocean.ini
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/flux.garden/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/flux.garden/privkey.pem
   Your cert will expire on 2022-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
  • (then did chmod 600 digitalocean.ini so shouldn't get that warning anymore)
  • still unclear whether I need to do sudo systemctl restart nginx - it doesn't look updated at this - tempted to wait until coming expiration time, but decide not to play around. So just do it. Then that link shows updated expiration.

Edited:    |       |    Search Twitter for discussion

Made with flux.garden