Help switch SSL from manual to autorenew

Help
1

TLDR: I have an AWS Lightsail LAMP with PHP 7 server No Wordpress.. pretty much all defaults base image.. I want to enable the auto-renew process for my SSL cert or replace it with a new one. Initial setup was using aws light sail instructions and certbot https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-lamp#request-a-lets-encrypt-certificate-lamp. I don't care how its done going forward, I just want it auto-renewed no intervention. I don't know how to undo the damage done already to get to where I can use some other solution or fix the current one.

Since this is all foreign to me these are the questions I am looking to have answered directly since existing articles I have found are all useless to a noob and don't consider you already having a valid SSL certificate.

My domain is:
www.techonlinetools.com

I ran this command:
SSL Request Successfully implemented using these steps:
Steps: [Tutorial: Using Let’s Encrypt SSL certificates with your LAMP instance in Amazon Lightsail | Lightsail Documentation](https://amazon lightsail useless steps)
my commands:
DOMAIN=techonlinetools.com
WILDCARD=*.$DOMAIN
echo $DOMAIN && echo $WILDCARD
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

it worked, as in I got a SSL working cert, redirected my port 80 to 443 all was fine and I don't have the output from the initial setup. The problem is, from their instructions they say..

now just do this again in 90 days

which is not ok!

So After I have a working SSL Cert, I was doublechecking the auto-renew steps and it does not work
bitnami@ipxxxxx:~$ sudo certbot renew --dry-run

Dry Run Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/techonlinetools.com.conf

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be proble
ms with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-h
ook when using the manual plugin non-interactively.')
Attempting to renew cert (techonlinetools.com) from /etc/letsencrypt/renewal/techonlinetoo
ls.com.conf produced an unexpected error: The manual plugin is not working; there may be p
roblems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-h
ook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/techonlinetools.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/techonlinetools.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
bitnami@ip-xxxxxx:~$ sudo httpd -v
Server version: Apache/2.4.46 (Unix)
Server built: Dec 21 2020 12:49:53

The operating system my web server runs on is (include version):
bitnami@ip-xxxxxx:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="Debian -- User Support"
BUG_REPORT_URL="https://bugs.debian.org/"

My hosting provider, if applicable, is:
AWS LightSail LAMP Server with PHP 7

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
bitnami@ip-xxxxx:~$ certbot --version
certbot 0.31.0

2

Hi @jb2kewl

if you want a wildcard, dns validation is required.

If your dns provider doesn't support an API you can use, you have to do that manual.

Manual -> you can't use automation.

That's all.

--

So: Do you need a wildcard?

If not, switch to http validation.

PS: Checked that - Tutorial: Using Let’s Encrypt SSL certificates with your LAMP instance in Amazon Lightsail | Lightsail Documentation - you should check if there are other resources using Letsencrypt with Amazon without creating a wildcard.

3

Yep I don't need a wild card and I didn't know there was that limitation. I am using AWS Route 53 for my DNS, so I am sure they have a api.. but really like I said.. I don't need a wildcard for sub domains. I just need the typical base names:
techonlinetools.com
www.techonlinetools.com
So any idea how to correct this?
Do I just use cerbot instructions I can find for auto-renewals request a non-wildcard SSL cert for my domain www.techonlinetools.com and it will not reject the fact I have a wild card one right now?

4

First step: Read the Certbot documentation. There

https://certbot.eff.org/docs/using.html

is a route53 plugin you can use with dns- and with http validation. So use it, with or without a wildcard.

But with Bitnami, you should always use the Bitnami integrated solution, nothing else.

5

it appears this is what I was looking for... just revoke it and delete it...

#################################
backup server keys to tmp
#################################
sudo cp /opt/bitnami/apache/conf/bitnami/certs/server.key /tmp/server.key
sudo cp /opt/bitnami/apache/conf/bitnami/certs/server.crt /tmp/server.crt
sudo cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /tmp/privkey.pem
sudo cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /tmp/fullchain.pem

change permission so you can download the key

sudo chmod +r /tmp/server.key
sudo chmod +r /tmp/privkey.pem

now you can sftp these off the server as a backup

##################################
revoking and deleting a SSL Cert
##################################

Backup folder

sudo cp /etc/letsencrypt/ /tmp/letsencrypt.backup -r

List your certificates

sudo certbot certificates

Example output:

bitnami@ip-1.1.1.1:/tmp$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: techonlinetools.com
Domains: techonlinetools.com *.techonlinetools.com
Expiry Date: 2021-06-20 22:54:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/techonlinetools.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/techonlinetools.com/privkey.pem

bitnami@ip-1.1.1.1:/tmp$

Stop LAMP stack

sudo /opt/bitnami/ctlscript.sh stop

Revoke and Delete Certificates

Example from web

certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem --key-path /etc/letsencrypt/live/example.com/key.pem

sudo certbot revoke --cert-path /etc/letsencrypt/live/techonlinetools.com/fullchain.pem --key-path /etc/letsencrypt/live/techonlinetools.com/privkey.pem

---- example screen output from running this ----
bitnami@ip-1.1.1.1:/tmp$ sudo certbot revoke --cert-path /etc/letsencrypt/live/techonlinetools.com/fullchain.pem --key-path /etc/letsencrypt/live/techonlinetools.com/privkey.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Would you like to delete the cert(s) you just revoked, along with all earlier
and later versions of the cert?

(Y)es (recommended)/(N)o: y

Deleted all files relating to certificate techonlinetools.com.

Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/live/techonlinetools.com/fullchain.pem

bitnami@ip-1.1.1.1:/tmp$

Start LAMP stack

sudo /opt/bitnami/ctlscript.sh start

and apache fails after this as it seems you need to adjust a few configs.. but whatever.. i am just going to wipe the server and start over without hassling with the initial garbage setup recommended from the document online I found.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.