How to recover from expired let's encrypt certificate

April 16, 2019 2.1k views
Let's Encrypt Ubuntu 18.04

Mine “let’s encrypt” certificate expired yesterday. What is the safest way to extend or replace this cert, as well as to ensure that it will renew itself automatically? I am assuming whatever I need to do should be done via PuTTY (I am using Windows 10 as my workstation OS)

1 Answer

Greetings!

The easiest way to manage your LetsEncrypt certificate, including automatic renewal, is by using certbot. How you make use of the result of certbot or whether it automates absolutely all things for you, is a bit relative to your setup. However, this guide covers a quick how-to using Apache and Ubuntu 18:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

There may be similar guides for your specific software stack, to cover things like automatic reloading of the certificate on renewal (built-in with certbot/Apache setup).

Jarland

by Kathleen Juell
by Erika Heidi
Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically.
  • Thank you Jarland for such quick and complete answer - and allow me to ask a few more questions. I am aware of the document you referenced and it would be my choice if I can understand the following few details:

    My Wordpress Instance was completely functional until yesterday. This means in particular that I have certbot installed and I did everything that is described in this “How to Secure Apache …” article. Just the installed certificate has expired, so I am not sure whether I need to start by removing the existing certbot and remove everything that this certbot did when I used it the first time 3 months ago.

    It would be great if you can tell me that I can completely disregard the previous securing work and do everything that needs to be by “overwriting” the old stuff. I tried to just run:

    certbot renew --force-renewal
    

    and that resulted with

    Processing /etc/letsencrypt/renewal/nilavema.space.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Plugins selected: Authenticator apache, Installer apache
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for nilavema.space
    http-01 challenge for www.nilavema.space
    Waiting for verification...
    Cleaning up challenges
    Attempting to renew cert (nilavema.space) from /etc/letsencrypt/renewal/nilavema.space.conf produced an unexpected error: Failed authorization procedure. nilavema.space (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nilavema.space/.well-known/acme-challenge/Jv0OvltSp81L66oO2QBHszfX9KpjKCob6B6A-K8_utk: Timeout during connect (likely firewall problem), www.nilavema.space (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.nilavema.space/.well-known/acme-challenge/REeHEakdt2jF6nAS7A3E1zNaAbXOWKi11czUUpieiTs: Timeout during connect (likely firewall problem). Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/nilavema.space/fullchain.pem (failure)
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/nilavema.space/fullchain.pem (failure)
    
    • Interesting. So it seems the primary issue here is that the renewal is failing. This makes sense right now because I’m actually getting no HTTP response when I reach out to http://nilavema.space. Is there by chance a firewall blocking inbound traffic on port 80, or is the web server just not running?

      If you haven’t done anything with the firewall, maybe try restarting the web server:

      systemctl restart apache2
      

      Perhaps cleaning out the existing SSL config temporarily may be required for it to restart, I’m not sure.

      • The renewal might be failing because just running the command

        certbot renew --force-renewal
        

        might be insufficient (I pulled it from a long thread discussing this same situation - and that thread never reached a conclusion).

        You could see that my certificate has expired by running https://nilavema.space (the site is not configured for http, so invoking it expecting the response on port 80 should result with “This site can’t be reached” error). The web server is running and responds with “NET::ERRCERTDATE_INVALID” error message.

        This should remove your suspicions about possible misconfiguration (the site worked correctly until yesterday afternoon). My original mistake was that I did not provide for automatic certificate renewal and now have no idea how to renew it without accidentally trampling over something that took me days to configure (nothing to do with security)

        You wrote Perhaps cleaning out the existing SSL config temporarily may be required for it to restart, I'm not sure. may be pointing to the right way to solve this - but I do not dare to do that without knowing that it is safe.

        I asked DO support the same question - but despite being a paying customer there is no answer for a few days since I asked this

Have another answer? Share your knowledge.