Renewing my SSL Certificate

Blog, Code, Knowledgebase, Linux Bash, , ,

Its that time of year again! Time to update my SSL Certificate using Let’s Encrypt!

Expired SSL Certificate Error Message

To renew my certificate, I need to obtain a brand new version. I’ve been using Let’s Encrypt as they’re free and just require a few terminal commands which I’m very familiar with.

Steps To Encrypt

To obtain and install a new SSL certificate, I install Certbot locally, generate an SSL certificate, and upload it to my web hosting provider.

Installing Certbot Locally

Certbot is Let’s Encrypt recommended tool to generate the certificates. Because I’m on a shared hosting provider, I can’t ssh into a terminal to run commands. Instead I need to generate the certificate locally and upload it.

Certbot provides an easy step-by-step set of instructions for most configurations. To get the instructions, you have to select an OS and type of web server you’re running on their home page, and it will show you what you need to know. However, because we can’t setup the certificate directly on the shared server, I put in my local OS instead.

Certbot Apache on Arch Linux instructions – https://certbot.eff.org/lets-encrypt/arch-apache

I actually found that installing certbot through snap required some additional symlinks to get it to work. I wasn’t too interested in messing around to get snap to work, so I just installed certbot using yay / pacman:

yay -S certbot

Generating Certificate

Once installed, I generated the certbot certificate locally using the command below.

sudo certbot certonly -d "*.mydomain.com" --manual

Because I’m using a wildcard, certbot asked me to add a TXT record for my domain.

Please deploy a DNS TXT record under the name:

_acme-challenge.mydomain.com.

with the following value:

{code here}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Deployment and Testing

After setting the _acme-challenge TXT record, I was then provided two .pem files: a fullchain.pem, and privkey.pem. I took the Private Key file, privkey.pem, and uploaded it to my web hosting provider.

After uploading it, I opened up my page on a separate device and confirmed it was working.

EDIT

When I tried deploying the certificate I had made, it worked fine initially. However, that was because my site was still blog.digitaldeveloper.ca. After I moved my site to digitaldeveloper.ca, the certificate was no longer valid. Thats because the certificate was for *.digitaldeveloper.ca, which doesn’t include digitaldeveloper.ca.

The solution was to regenerate the certificate with both the wildcard and no wildcard. It was as easy as adding another domain argument to the command without the wildcard:

sudo certbot certonly -d "*.mydomain.com" -d "mydomain.com" --manual

When certbot see’s you’re trying to create a certificate for a root domain, it asks you to verify its yours in a slightly different manner. Instead of using the TXT record, they ask you to create a file on your server in a specific folder. For example:

/mydomain.com/.well-known/acme-challenge/{generated file name}

After creating the file, I continued with the steps requested by certbot and retrieved a new key / certificate. I reuploaded them and configured my web host to use the new key / cert instead.

NOTE: I didn’t undo the TXT record, so I’m unaware if certbot still needs it for the wildcard domains.