{"id":1463,"date":"2018-01-20T15:40:43","date_gmt":"2018-01-20T20:40:43","guid":{"rendered":"http:\/\/www.xavignu.com\/?p=1463"},"modified":"2018-01-20T15:44:20","modified_gmt":"2018-01-20T20:44:20","slug":"renew-ssl-cert-with-letsencrypt","status":"publish","type":"post","link":"https:\/\/www.xavignu.com\/?p=1463","title":{"rendered":"Renew SSL cert with letsencrypt"},"content":{"rendered":"<p>Lately I have been playing around with <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\" rel=\"noopener\">lets encrypt<\/a>. Wanted to get away from self signed certs, this gives a more professional aspect to the website. Installation was pretty easy to tell the truth, I just followed the following <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04\" target=\"_blank\" rel=\"noopener\">manual<\/a> from <a href=\"https:\/\/www.digitalocean.com\/\" target=\"_blank\" rel=\"noopener\">Digital Ocean<\/a>. Issue came with the cert renewal process. Letsencrypt renews via http, not https, so testing the renewal was failing.<\/p>\n<pre id=\"terminal\">certbot renew --dry-run \r\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\r\n\r\n-------------------------------------------------------------------------------\r\nProcessing \/etc\/letsencrypt\/renewal\/mail.example.org.conf\r\n-------------------------------------------------------------------------------\r\nCert not due for renewal, but simulating renewal for dry run\r\nStarting new HTTPS connection (1): acme-staging.api.letsencrypt.org\r\nRenewing an existing certificate\r\nPerforming the following challenges:\r\nhttp-01 challenge for mail.example.org\r\nWaiting for verification...\r\nCleaning up challenges\r\nAttempting to renew cert from \/etc\/letsencrypt\/renewal\/mail.example.org.conf produced an unexpected error: Failed authorization procedure. mail.example.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:\/\/mail.example.org\/.well-known\/acme-challenge\/CbWS7lLTfZZe-z-ctdOhaxUe9ZhDi6iuGkxMv57xDbQ: \"&lt;html&gt;\r\n&lt;head&gt;&lt;title&gt;404 Not Found&lt;\/title&gt;&lt;\/head&gt;\r\n&lt;body bgcolor=\"white\"&gt;\r\n&lt;center&gt;&lt;h1&gt;404 Not Found&lt;\/h1&gt;&lt;\/center&gt;\r\n&lt;hr&gt;&lt;center&gt;\". Skipping.\r\n** DRY RUN: simulating 'certbot renew' close to cert expiry\r\n**          (The test certificates below have not been saved.)\r\n\r\nAll renewal attempts failed. The following certs could not be renewed:\r\n  \/etc\/letsencrypt\/live\/mail.example.org\/fullchain.pem (failure)\r\n** DRY RUN: simulating 'certbot renew' close to cert expiry\r\n**          (The test certificates above have not been saved.)\r\n1 renew failure(s), 0 parse failure(s)\r\n\r\nIMPORTANT NOTES:\r\n - The following errors were reported by the server:\r\n\r\n   Domain: mail.example.org\r\n   Type:   unauthorized\r\n   Detail: Invalid response from\r\n   http:\/\/mail.example.org\/.well-known\/acme-challenge\/CbWS7lLTfZZe-z-ctdOhaxEe9ZhDi6iuGzxMv57xDbQ:\r\n   \"&lt;html&gt;\r\n   &lt;head&gt;&lt;title&gt;404 Not Found&lt;\/title&gt;&lt;\/head&gt;\r\n   &lt;body bgcolor=\"white\"&gt;\r\n   &lt;center&gt;&lt;h1&gt;404 Not Found&lt;\/h1&gt;&lt;\/center&gt;\r\n   &lt;hr&gt;&lt;center&gt;\"\r\n\r\n   To fix these errors, please make sure that your domain name was\r\n   entered correctly and the DNS A record(s) for that domain\r\n   contain(s) the right IP address.\r\n<\/pre>\n<p><!--more--><br \/>\nIn order to fix this I had to place some redirects and open port 80 too on <a href=\"https:\/\/nginx.org\/\" target=\"_blank\">nginx<\/a>. Placing below rules in config file.<br \/>\n[code language=&#8221;text&#8221;]<br \/>\nserver {<br \/>\n\tlisten 80;<br \/>\n\tserver_name mail.example.org;<br \/>\n\treturn 301 https:\/\/$host$request_uri;<br \/>\n}<br \/>\n\tlocation \/.well-known\/acme-challenge\/ {<br \/>\n  \t\treturn 301 http:\/\/$host$request_uri;<br \/>\n\t\ttry_files $uri \/dev\/null =404;<br \/>\n\t}<br \/>\n[\/code]<\/p>\n<p>Now testing the renewal runs smoothly.<\/p>\n<pre id=\"terminal\">certbot renew --dry-run \r\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\r\n\r\n-------------------------------------------------------------------------------\r\nProcessing \/etc\/letsencrypt\/renewal\/mail.example.org.conf\r\n-------------------------------------------------------------------------------\r\nCert not due for renewal, but simulating renewal for dry run\r\nStarting new HTTPS connection (1): acme-staging.api.letsencrypt.org\r\nRenewing an existing certificate\r\nPerforming the following challenges:\r\nhttp-01 challenge for mail.example.org\r\nWaiting for verification...\r\nCleaning up challenges\r\nGenerating key (2048 bits): \/etc\/letsencrypt\/keys\/0002_key-certbot.pem\r\nCreating CSR: \/etc\/letsencrypt\/csr\/0002_csr-certbot.pem\r\n** DRY RUN: simulating 'certbot renew' close to cert expiry\r\n**          (The test certificates below have not been saved.)\r\n\r\nCongratulations, all renewals succeeded. The following certs have been renewed:\r\n  \/etc\/letsencrypt\/live\/mail.example.org\/fullchain.pem (success)\r\n** DRY RUN: simulating 'certbot renew' close to cert expiry\r\n**          (The test certificates above have not been saved.)\r\n<\/pre>\n<p>This <a href=\"https:\/\/caseydris.co\/devops\/fixing-failed-authorization-procedure-lets-encrypt-nginx-redirects\/\" target=\"_blank\">how-to<\/a> was really helpful.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lately I have been playing around with lets encrypt. Wanted to get away from self signed certs, this gives a more professional aspect to the website. Installation was pretty easy to tell the truth, I just followed the following manual from Digital Ocean. Issue came with the cert renewal process. Letsencrypt renews via http, not [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[92],"tags":[90,6,91,89],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pTQgt-nB","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1463"}],"collection":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1463"}],"version-history":[{"count":17,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1463\/revisions"}],"predecessor-version":[{"id":1480,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1463\/revisions\/1480"}],"wp:attachment":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}