Question

SSL renewal for subdomain, main domain hosted elsewhere

Posted February 2, 2021 592 views
Let's Encrypt

Hello,

So for a few months now I’ve been trying to get Lets Encrypt to auto renew my domain.

I currently have a subdomain (sub.domain.com) - the A record is pointed to Digital Ocean. The main domain (domain.com) has many other records pointing to different places, so I don’t really want to switch the nameservers to Digital Ocean to use the auto-renewal that Digital Ocean supply.

I have managed to get an SSL running following various tutorials, however it would appear that Digital Ocean doesn’t see the renewals. I think I have to manually re-add the certificate each time.

Doing a dry run of certbot works, and I think my cronjob that checks once a day is working too - it seems to be generating new keys each time.

I’m pretty new to all this - is there a way to renew the same key and have Digital Ocean pick up on it, or using their “Bring your own certificate” solution do I need to manually do it each time?

Running Ubuntu 18.04 (LTS) x64

Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
3 answers

Hi @bobbyiliev - thanks for the reply.

No, I don’t think I am using a Load Balancer. I’m pretty new to Digital Ocean and servers generally but I can see the option to spin one up. I haven’t used that.

It’s just on a normal Droplet as far as I am aware.

Hi there @danfarrow,

Are you using this certificate for a Load Balancer? If so, I believe that the only out of the box way to have your certificate automated on the DigitalOcean side is if you manage your domain with DigitalOcean DNS. Only in this case, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate.

Regards,
Bobby

Hi @bobbyiliev - it’s been a while, but I am hoping you have a bit of time to help me out again!

Today the SSL failed on some machines - reading deeper, I get the feeling it’s something to do with R3 failing, as the error “r3 certificate has expired” appears on some computers/devices.

Having read through this (it’s very much at the border of my knowledge) https://community.letsencrypt.org/t/r3-intermediate-certificate-has-expired-it-issued-certs-past-its-expiration-date/160797 it appears something has changed with LetsEncrypt.

I’ve tried doing a hard renew, which worked, but hasn’t resolved the SSL issue.

I don’t suppose you’ve got any ideas do you?

I’ve done a hard renew, I’ve checked the expiry - am I missing a setting perhaps with Digital Ocean?!