Renewing SSL Certificates with Certbot Apache and TLS-SNI Challenge


#1

I want to renewing my website SSL Certificate, what are steps to follow for renew my ssl certificate and how to confirm my ssl certificate expire date and time.
and how to check when my ssl certificate expire?


#2

Hi @Sunil_Kumar,

How did you originally obtain and install your certificate?

You can find the expiry date of your certificate by viewing its details in a browser while visiting your site. Unfortunately Google Chrome has recently changed their interface to make this much more difficult than it used to be. :frowning:

In Firefox, click on the lock icon, then the right arrow, then More Information, then View Certificate. The expiry date of your certificate will be stated.

In recent versions of Chrome and Chromium, press F12, then click Security, then View Certificate. The expiry date of your certificate will be stated.


#3

(which might itself be hidden behind a » icon)


#4

Thanks it’s very helpful for me and other admins, and when we renew our ssl
certificate which files are effected, so first takes the backup of all
files. after completed renew process its required to restart the service of
web server.


#5

Hi @Sunil_Kumar,

You haven’t explained what software you used to obtain the certificate.

There are dozens of different applications that can get Let’s Encrypt certificates

and that’s not even counting control panel and hosting provider integrations. The means of renewing a certificate will depend on how it was originally obtained.


#6

@schoen Sir, i am using apache web server and my OS is centos 6, today i run test command but i am find errors on that output. what are steps follow for resolve this issue. please guide me. or or we can create new certificate for our domain and subdomains. see below error
Upgrading certbot-auto 0.11.1 to 0.14.0…
Replacing certbot-auto…
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init .py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop su pport for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/live.xxxxxxx.org.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for live.xxxxxxxxxxxxx.org
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/live.xxxxxxxxxxxxx.org.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again… Skipping.


Processing /etc/letsencrypt/renewal/trial.xxxxxxxxxxxx.org.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for trial.safetylabs.org
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/trial.xxxxxxxxxxxx.org.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop th e program in question and then try again… Skipping.


Processing /etc/letsencrypt/renewal/xxxxxxxxxxxxxx.org.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxxxxxxxxxxxx.org
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/safetylabs.org.conf produ ced an unexpected error: Could not bind TCP port 443 because it is already in us e by another process on this system (such as a web server). Please stop the prog ram in question and then try again… Skipping.


Processing /etc/letsencrypt/renewal/support.xxxxxxxxxxx.org.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.safetylabs.org
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/support.xxxxxxxxxxxx.org.co nf produced an unexpected error: Could not bind TCP port 443 because it is alrea dy in use by another process on this system (such as a web server). Please stop the program in question and then try again… Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/live.xxxxxxxxxxxx.org/fullchain.pem (failure)
/etc/letsencrypt/live/trial.xxxxxxxxxxxx.org/fullchain.pem (failure)
/etc/letsencrypt/live/xxxxxxxxx.org/fullchain.pem (failure)
/etc/letsencrypt/live/support.xxxxxxxxxx.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
4 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

#7

You are trying to use the TLS-SNI Challenge so a review of how it works https://tools.ietf.org/html/draft-ietf-acme-acme-06#section-8.3

in order to help can you let us know what commands you ran

Andrei


#8

Hi @Sunil_Kumar,

I am still waiting for your answer about how you originally obtained the certificate. Certbot tries to use the same method to renew the certificate that was originally used to obtain it.

It looks like you may have used --standalone when you originally obtained the certificate. This is usually only appropriate on systems that are not running a web server. It looks like your system is running a web server and therefore --standalone has a conflict with that web server.

It would be very helpful to know more details about your system and what command you originally used when obtaining the certificate.


#9

This is, again, because Certbot saves the choice of methods that you used when first obtaining the certificate, and uses that method automatically when you try to renew it. Therefore, the details and circumstances about how the certificate was first obtained are still relevant because they are guiding the program’s attempt to authenticate for renewal purposes.


#10

today i am work on it its done after facing 3 hours ,first stop web server. than run certbot-auto renew


#11

Thanks all of you and letsencrypt for support


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.