Renewing of certificate manually behing firewall

My domain is: erpnext-access.co.za

I ran this command: N/A

It produced this output: n/a

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Digital Ocean (self managed )

I can login to a root shell on my machine (yes or no, or I don't know): Yes SSH-key

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I do not use the Digital Ocean Control panel to manage my site. I primarily use SSH for certbot issues.
I use SSH and the ERPNext-frontend for ERPNext-setup issues

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

Good day
I have installed a certbot cert on my ERPNext server on 8 Nov.

Command used during installation..
sudo snap install --classic certbot

According to the command ..
sudo openssl x509 -dates -noout -in /etc/letsencrypt/live/erpnext-access.co.za/cert.pem

it must be renewed before 6 Feb 2022.

I know I am well before that date, but I am just preparing so that I do not have to scramble at
the last minute.

When I did a dry-run...
sudo certbot renew --dry-run
It failed and I realised why ..... my firewall is pretty tight which I am 100% sure caused the failure.
this means I cannot rely on the auto-renewal and I have to do it manually.

I did some googling and wish to confirm that this is in fact correct ...
So, to do the renewal manually, I shall relax the firewall and then run the command....
certbot -d erpnext-access.co.za,www.erpnext-access.co.za --force-renewal

I would like to confirm that this is correct?

many thanks

1 Like

No, it's not, on multiple parts.

Depending on how you got your certificate in the first place there's nothing wrong with just running sudo certbot renew after you've relaxed your firewall. (Preferably that wouldn't be necessary, e.g. by making a relaxed firewall rule for access to /.well-known/acme-challenge so automation is possible.) You don't necessarily have to run certbot with the -d commands. Unless you've actually used the --manual plugin, but from the limited info you've given here I don't think you did.

Also, never use --force-renewal unless it's absolutely necessary. In your case, for regular but manual renewals, it's not necessary.

3 Likes

Thank you .

I will use 'sudo certbot renew' then.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.