Question

SSL renewal for subdomain, main domain hosted elsewhere

Hello,

So for a few months now I’ve been trying to get Lets Encrypt to auto renew my domain.

I currently have a subdomain (sub.domain.com) - the A record is pointed to Digital Ocean. The main domain (domain.com) has many other records pointing to different places, so I don’t really want to switch the nameservers to Digital Ocean to use the auto-renewal that Digital Ocean supply.

I have managed to get an SSL running following various tutorials, however it would appear that Digital Ocean doesn’t see the renewals. I think I have to manually re-add the certificate each time.

Doing a dry run of certbot works, and I think my cronjob that checks once a day is working too - it seems to be generating new keys each time.

I’m pretty new to all this - is there a way to renew the same key and have Digital Ocean pick up on it, or using their “Bring your own certificate” solution do I need to manually do it each time?

Running Ubuntu 18.04 (LTS) x64

Thanks!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Hi @bobbyiliev - thanks for the reply.

No, I don’t think I am using a Load Balancer. I’m pretty new to Digital Ocean and servers generally but I can see the option to spin one up. I haven’t used that.

It’s just on a normal Droplet as far as I am aware.

Hi @bobbyiliev - it’s been a while, but I am hoping you have a bit of time to help me out again!

Today the SSL failed on some machines - reading deeper, I get the feeling it’s something to do with R3 failing, as the error “r3 certificate has expired” appears on some computers/devices.

Having read through this (it’s very much at the border of my knowledge) https://community.letsencrypt.org/t/r3-intermediate-certificate-has-expired-it-issued-certs-past-its-expiration-date/160797 it appears something has changed with LetsEncrypt.

I’ve tried doing a hard renew, which worked, but hasn’t resolved the SSL issue.

I don’t suppose you’ve got any ideas do you?

I’ve done a hard renew, I’ve checked the expiry - am I missing a setting perhaps with Digital Ocean?!

Bobby Iliev
Site Moderator
Site Moderator badge
February 2, 2021

Hi there @danfarrow,

Are you using this certificate for a Load Balancer? If so, I believe that the only out of the box way to have your certificate automated on the DigitalOcean side is if you manage your domain with DigitalOcean DNS. Only in this case, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate.

Regards, Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel