This repository has been archived by the owner on Jan 18, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Updating Let's Encrypt
ErrorsAndGlitches edited this page Oct 26, 2017
·
15 revisions
Updating Let's Encrypt is not trivial and their cert-auto is not as auto as one would desire. The certificates last some finite period of time so one day, they will need to be updated. Here are the steps that will save you from destroying all you hold dear.
The first incorporation of Let's Encrypt certificates was performed in Issue-17, which the follow steps are based on. Another thing to note is that the cert-auto renew command didn't work for me. I can't express how surprised I was.
- Download the
cert-autoscript to the host from certbot installation page. Put it in the home directory. It might even be there for you, already. - Let's start with the staging environment of Let's Encrypt to make sure we don't mess up prod. There is also a max failure rate for prod Let's Encrypt, so this is an all-around good approach. To download the certs (remember to specify your email - the WAISN list email gets bounced):
sudo ./certbot-auto \
--manual \
--staging \
-m YOUR_EMAIL_HERE \
-d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
certonly
1. You will be asked to put text in a specific file that is accessible by any HTTP Client. For example, it will look like this:
Create a file containing just this data:
T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o.k7GTgAWtklLgS1fSLg36jJPkXl0VyHgvQCm_9DqQJe4
And make it available on your web server at this URL:
http://rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/.well-known/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o
The WSGI.conf has been configured to alias the path to a public folder on the host. Specifically, create the file and put the information at the path:
/opt/python/current/app/public/static/acme-challenge/T8ugPslMyp9D1YV6JqzLhV0ZwBRrG6Ryq5uouX5n88o
2. Test the URL provided by `cert-auto` to perform a sanity check that it works.
3. Then press enter and it should succeed!
- Cool. Now that staging is configured, let's use the production version. It's the same command as above sans
--staging. Specifically:
sudo ./certbot-auto \
--manual \
-m YOUR_EMAIL_HERE \
-d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
certonly
- The next step is to import the certs into AWS Cert Manager. The output will indicate where the certs were installed:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com/privkey.pem
Your cert will expire on 2018-01-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
1. `scp` the `fullchain.pem` certs to your local machine. You will need to move it into another directory first because the directory it is in is protected. Remember to delete the copied file after scp'ing it over to your local host.
2. Open **AWS Certificate Manager** in the AWS Console.