I ran this command:
letsencrypt-auto renew --dry-run
The output looked promising at first, but then I noticed that it was planning to generate fullchain.pem. I’m using Apache 2.4.7 on Ubuntu 14.04 and letsencrypt-auto version 0.5.0.
According to http://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates that will not work:
cert.pem
Server certificate only.
This is what Apache < 2.4.8 needs for SSLCertificateFile.
chain.pem
All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.
This is what Apache < 2.4.8 needs for SSLCertificateChainFile, and what nginx >= 1.3.7 needs for ssl_trusted_certificate.
This matches my current apache config files. I understand that fullchain.pem is these two files concatenated. Is there any way to force letsencrypt-auto to output chain.pem and cert.pem so I can automate renewal?
I’ve googled and searched this forum, looked through ‘letsencrypt-auto --help all’ and even grepped the letsencrypt-auto script, and cannot find anything that will make letsencrypt-auto do this.
Workarounds I have rejected:
I’m not upgrading Ubuntu since I plan to stick to only LTS versions and 16.x is not out yet. I’m also not hand-compiling Apache either since it’s way too easy to forgot about that for a long time, which is not OK in today’s security environment