What is the proper procedure to renew a certificate
The ultimate goal is to auto renew using cron. But for now a cli renewal is adequate.
Two certificates located here:
/home/name/gitprojects/dehydrated/certs/application.server1.com
(a) For reverse proxy within virtual host container for application on LAN behind firewall
(b) interactive DNS challenge using TXT RR
/etc/letsencrypt/live/server1.com/
(a) Main server for other virtural host not behind firewall
After looking over the documentation the proper command to renew certificates is not clear from the following iterations:
<> certbot renew
<> certbot-renew
<> certbot-auto renew
(b) Location (1) does not contain and iteration of renew.
Both certificates were obtained differently (1) DNS challenge TXT RR and (2) certbot. How are the certificates renewed and what are the proper commands / procedures to renew the certificates?
Certbot can’t renew the certificates that were obtained using dehydrated; I guess you’ll have to use dehydrated for that.
For renewing the certificate under /etc/letsencrypt, you should run certbot renew if you originally obtained the certificate running certbot, and certbot-auto renew if you originally obtained the certificate running certbot-auto (possibly with a path such as the /home/name/letsencrypt/certbot-auto). These are different ways of running the Certbot software depending on how you’ve installed it. In either case, you should run it in the same way you did before, adding renew as a separate word (which we sometimes call a “verb”, “action”, or “subcommand” within Certbot).
(1) This method requires that port 443 is not in use by another process. In other words stop the web server or the process binding to port 443.
systemctl stop httpd … or …
systemctl stop apache2
(2) certbot-auto is a script which is not in a command path so provide the path or cd to the directory where certbot-auto is located. Precede the script with “./”
./certbot-auto renew
< successful renew output >
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for server.com
tls-sni-01 challenge for www.server.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/server.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/server.com/fullchain.pem (success)
< restart web server! >
systemctl restart httpd … or …
systemctl restart apache2