Renew HTTPS certificates automatically


#1

Hello, I have a question some time ago create some certificates for my server, but I have not received any email to renew it, I would like to know if the automatic renewal is done alone or you have to configure it, if so, where can I find the steps to follow to make that are renewed alone.

my domain is: 4544488f-b4d1-4889-a497-a4482a15a590.clouding.host


#2

Your certificate hasn’t been renewed – or, if it has, it was very recently, and your web server isn’t using it.

https://crt.sh/?q=4544488f-b4d1-4889-a497-a4482a15a590.clouding.host

If you provided Let’s Encrypt with your email address, I think they’ll send you an email today.

You’ll have to explain more about the software you’re using and environment for us to be able to provide any information about how to set up automatic renewal using it.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#3

My domain is:
4544488f-b4d1-4889-a497-a4482a15a590.clouding.host

I ran this command:
I dont see this command

It produced this output:
¿?¿?¿

My web server is (include version):

  • node server verion 8.10.0
  • Apache/2.4.29

The operating system my web server runs on is (include version):

  • Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

  • Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

  • No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

  • Certbot 0.26.1

#4

Hmm, how did you install certbot? Based on your Apache version I assume you’re on Ubuntu Bionic - the latest version there is 0.23.0 and the latest version in the PPA is 0.28.0. Maybe you installed it from the PPA but haven’t updated it?

If you installed it from the PPA, it should automatically set up a systemd timer to run twice a day to check if your certificates are close to expiring and attempt to renew them if so. If you installed it some other way you might need to set up such a timer or cron job yourself.

If it doesn’t seem to be working, you can try running certbot renew manually, and see if it works (which would indicate that the problem is with the systemd timer) or if it produces an error of some sort that may need to be fixed before you can renew.


#5

I don’t know if this is intentional, but the https site refuses connections and the http site returns:

Since HTTP is open and available you should be able to get a cert.


#6

Hi @SahJ

before you create a new certificate, you should change your directory structure.

And you should remove the option to listen directories via browser.

Certificates and private keys are nothing to store in the webroot.

Your private key is comprimised.


#7

Confirmed:

openssl x509 -noout -modulos -in cert.pem | openssl sha256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

openssl x509 -noout -modulos -in privkey.pem | openssl sha256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855


#8

Thank you very much for the help, change what you told me and fix the error of the certbot renew, which I do not know if it will be auto-renewed automatically


#9

Yep, now your directory listening is forbidden.

But your privkey already exists in your directory structure.

http://4544488f-b4d1-4889-a497-a4482a15a590.clouding.host/privkey.pem

Don’t save key in the directory structure.