Bereavement - process to renew SSH

My son, an artist, used Let's Encrypt for his websites which display his art. He was shot to death in Mexico in May 2022, and I would like to be able to renew the SSH certificates so that his websites can remain accessible.

What is the process I need to go through to do this? Two of his websites have recently started displaying that the certificate has expired. I do not have any of his user names or passwords, and I do not (yet) have access to his email or phone - Google and Apple are incredibly obstructive in this regard: I have had much better treatment elsewhere on the Web, and regarding his physical legacy - e.g. his possessions were returned to us from Mexico within two weeks.

I would be grateful for any assistance you can give.

Andrew Corser

1 Like

First of all, I am sorry for loss. Of course we understand your wish for the sites to remain accessible.

To avoid confusion: I believe that you are talking about SSL certificates, not SSH. SSH is a different protocol, for which Let's Encrypt does not provide services. Websites generally use SSL/TLS, for which Let's Encrypt provides certificates.

Next, Let's Encrypt encourages and is designed for automation. Certificates are usually acquired and renewed automatically, without human interaction. If a Let's Encrypt certificate has expired, it means that either:

  • The renewal was never automated in the first place. Let's Encrypt does not recommend this, but some subscribers have it setup this way.
  • The automated renewal no longer works for some reason.

Certificates from Let's Encrypt are obtained through the so-called ACME protocol. ACME clients (such as certbot and many more) are available to request and install certificates.

Unfortunately, without more details it is hard for this community to give more specific advise. It depends on what client was used and how it was setup. Our help questionary is designed to obtain these details, so that the community understands the setup used.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

8 Likes

@AndrewCorser, I'm very sorry to hear that—how tragic!

Further to @Nummer378's reply, you will almost certainly need to get administrative access to the web servers or web hosting accounts. Do you know where the sites are hosted (who the web hosting provider is)? If you don't know, but you can share the domain names, we might be able to figure that out for you.

It's quite possible that the web hosting providers will be willing to give you access or transfer the accounts if you can show them evidence that you're his next of kin.

If we can learn more about the hosting environment, we may be able to give you more specific advice. The process for renewing Let's Encrypt certificates is quite different in different hosting environments, and it can't be done from outside of the web server (there's no way for us, or Let's Encrypt, to renew and replace the certificates "remotely").

Another possibility which might be more technically involved (but also relevant for the long term) is to figure out where your son's domain names are registered (with which DNS registrar). This could in some cases be the same company as the web hosting provider, but is very often a different company. The domain registrar will eventually need to be paid for domain name renewals, so it's important to figure out eventually who that is. If you're able to get control of your son's account with the DNS registrar, then you would have the power to make his web sites point to a different web hosting provider (if you choose), so you could rebuild or reconstruct the sites in a different hosting environment, giving you more control over the site administration and the future of the sites' content and availability.

8 Likes

Thank you very much for your kind responses.

We are working on finding how the hosting was organised: I think my son did it himself using an unmanaged server provided by Hetzner, and it looks like we might be able to get in through their rescue system...but I am waiting for a friend with the appropriate skills to have a go at doing that!

Yeghes da/Good health!

Andrew

3 Likes

You probably don't need that, if you can go through the main door. The rescue system can be messy and can destroy the server contents. If you have access to your son's devices, you can look for the server keys on those (these are actually SSH keys).

3 Likes

Ah! Thanks for that: it is possible we might get access to his Apple devices soon...Google are a tougher nut to crack, as they require 2 court orders, one from the UK and one from a particular court in the US (Santa Clara Superior Court - the website of which, incidentally, does not accept traffic from outside the US: Google chose well there!!). We will hold off using the rescue system until we have searched for his access information...
Thanks again!

1 Like

SSH keys are usually on PCs, not on phones. You should be able to see if there's some, depending on the operating system.

4 Likes

However, the SSH key may be encrypted with a passphrase, which wouldn't be stored on the device itself or in any backup.

2 Likes

An alternative to consider is to (manually or automatically) archive/copy the content and recreate it on a new website hosting system, that way you just need to have control of the domain DNS and point it to the new service.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.