Cant Renew Cert on Some Domains

rg305 · January 21, 2021, 6:49am

A "renewal" is actually just another new one.
There is no way to make even the tiniest of modification to a cert.
Any change requires a new cert.
"renewal" is just for humans to "understand" the process.

When your credit card expires they issue you a new one.
You can think of it as renewing the previous card, but the truth is they are two completely independent cards [sometimes even the entire number can change].
In that same sense, certs change just as completely.

stroppyllama · January 21, 2021, 6:50am

Gotcha. So I can just issue another cert and then do the same thing I did in the nginx config for git.sunriselabs.com, correct?

rg305 · January 21, 2021, 6:52am

Yes.
But I would try to avoid the default name on the next one:

You can do so with the --cert-name parameter.
You can give it a nice short friendly name:
--cert-name git

And be sure not to include --force-renewal in any script.
[only use once - when needed]

stroppyllama · January 21, 2021, 6:53am

Awesome. That makes sense and then I just reload the nginx config correct?

rg305 · January 21, 2021, 6:55am

Then you insure nginx is using the latest live paths.
Then you can restart nginx.

Your forced issuance uses certonly.
That will NOT install the cert, nor make any nginx modifications for you.
[most are already in place from previous installs - you only need to confirm/update the cert paths]

rg305 · January 21, 2021, 6:57am

Like this would no longer be up-to-date:

As compared to what is shown by:
certbot certificates

stroppyllama · January 21, 2021, 6:59am

Configuration for Jira - client_max_body_size must be at least the max allowed attachment size

server {
listen 80;
server_name jira.sunriselabs.com;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
listen 443 ssl;
server_name jira.sunriselabs.com;
proxy_read_timeout 600s;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://jira:8080;
client_max_body_size 50M;
}
ssl_certificate /etc/letsencrypt/live/jira.sunriselabs.com-0002/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jira.sunriselabs.com-0002/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
}

rg305 · January 21, 2021, 7:04am

OK that should work for JIRA.
Now you still need to do GIT.

stroppyllama · January 21, 2021, 7:10am

Both are done and the certs have been updated for the 3 month window! Thank you so much for everything. I'm the devops engineer here so I have to read the Certbot/LetsEncrypt documentation to bone up on this. This community is amazing!

rg305 · January 21, 2021, 7:19am

Perfect!

Cheers form Miami

stroppyllama · January 21, 2021, 7:22am

Cheers from Maine! Thanks again!

system · February 20, 2021, 7:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.