Renewing SSL in Debian 8.3

rickhumphries · August 23, 2016, 11:04am

My SSL certificate expired today even though I’d set a cron task to automatically renew (by running /opt/letsencrypt/letsencrypt-auto renew)

I’ve checked the logs and it seems that the renewal was successful. Checking the /etc/letsencrypt/archive/{domain}/ folder shows the cert2.pem, chain2.pem, fullchain2.pem and privkey2.pem files and checking the /etc/letsencrypt/live/{domain}/ folder shows that cert.pem, chain.pem, fullchain.pem and privkey.pem are being symlinked over to these files. So this all seems correct.

I’ve just restarted apache manually now too but this hasn’t made a difference and my certificate is still showing as expired when I run the test at https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

I don’t really know what else to try. I’m quite new to this and don’t really have a lot of experience managing servers. If someone could point me in the right direction I’d be very grateful. Thanks

serverco · August 23, 2016, 11:55am

Are you happy to provide your domain name ?

what location in the apache.conf pointing to for the SSL certificates ?

rickhumphries · August 23, 2016, 12:15pm

Sure OK - it’s buttercupstraining.co.uk. I set this up through bitnami, so I think it’s bitnami.conf file. In which I’ve got

<VirtualHost _default_:443> DocumentRoot "/opt/bitnami/apache2/htdocs" Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLEngine on SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key" SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"

There’s also a httpd-ssl.conf file where I’ve got SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" and SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key" uncommented.

Hope that helps

serverco · August 23, 2016, 12:22pm

It does, thanks

You did obtain a new cert on 25th July - so that has updated OK (i.e. you cron is running correctly )

Your apache config is not pointing to the new certs though. You can either correct the path in your conf file (from /opt/bitnami/apache2/conf/‘cert’ to /etc/letsencrypt/live/buttercupstraining.co.uk/‘cert’ ) or you could setup a symlink (it depends if bitnami uses that elsewhere … I don’t use bitnami so can’t say ).

Once you have updated the apache config though, and reloaded apache hopefully all will be good.

rickhumphries · August 23, 2016, 12:38pm

Thanks for the reply, that sounds promising. Just double checking as it doesn’t seem a like for like swap. So where I’ve got SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" currently, I’d replace with /etc/letsencrypt/archive/{domain}/cert.pem ?

serverco · August 23, 2016, 1:08pm

Yes,

SSLCertificateFile (was server.crt ) should be cert.pem
SSLCertificateKeyFile ( was server.key) should be privkey.pem
SSLCertificateChainFile (was server-ca.crt ) should be chain.pem

rickhumphries · August 23, 2016, 1:15pm

Fantastic, that’s worked a treat. Thank you so much for your help

system · September 22, 2016, 1:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.