SSL renew for wordpress site hosted on AWS


#1

Hi,

I got an email this morning regarding the SSL cert expiring in 10 days. Please find the email message below.

I am an amateur developer. I followed many documentation online, nothing helped me. Can anyone help on this? I do not want my site down as many of my clients are viewing the site on a daily bases.

Let me know if you need my credentials.

My Site is on WordPress: https://learn.oysteer.co.nz
Hosted on AWS (Linux server)


Your certificate (or certificates) for the names listed below will expire in
10 days (on 18 Mar 18 20:17 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.


#2

How did you issue and install the certificate in the first place?


#3

It was a free certificate my previous developer set it up. I can provide you my details if required to look into it.


#4

Let’s Encrypt certificates have a 90 day duration.

If your developer had manually issued it, then it’s not going to renew itself. But if your developer had used some client software (such as Certbot) to set it up, then it should be automatically renewing, but it is possible that the process could be failing for some reason.

I would try find out what your developer did, so you can figure out what to do next.


#5

Thanks a lot for that.

Yes please. How do I share my details?


#6

What details? Ask your developer how they set this up, and let us know here.

Alternatively you can try figure out what they did by doing some minor investigation. What do the two following commands show?

sudo grep -REi "(SSLCertificateFile|SSLCertificateKeyFile)" /etc/{httpd,apache2}
sudo find /etc/letsencrypt

#7

Is it fine if I get back to you in few hours with the command line response?


#8

Of course, you have 10 days to sort it out, plenty of time :smiley: .


#9

By details i mean my server credentials


#10

Thanks a ton! Sure will get back soon.


#11

Just one more query, I get this “The SSL certificate used to load resources from https://embedwistia-a.akamaihd.net will be distrusted in M70. Once distrusted” error in the console.

It seems Google will distrust my site. WIll the renew fix this as well?


#12

Your site is using some external resource that is hosted by Akamai (looks like wistia video sharing?).

This has nothing to do with your website’s own certificate. You would need to ask Wistia about it.


#13

Hi,

As per your advise, i got the following output for the command line:

  1. sudo grep -REi “(SSLCertificateFile|SSLCertificateKeyFile)” /etc/{httpd,apache2}

Output:
/etc/apache2/sites-available/learn.conf: SSLCertificateFile /etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/apache2/sites-available/learn.conf: SSLCertificateKeyFile /etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/blog.conf: SSLCertificateFile /etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/apache2/sites-available/blog.conf: SSLCertificateKeyFile /etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem
/etc/apache2/sites-enabled/learn.conf: SSLCertificateFile /etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/apache2/sites-enabled/learn.conf: SSLCertificateKeyFile /etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem
/etc/apache2/sites-enabled/blog.conf: SSLCertificateFile /etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/apache2/sites-enabled/blog.conf: SSLCertificateKeyFile /etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem

  1. sudo find /etc/letsencrypt

Output:
/etc/letsencrypt
/etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks/deploy
/etc/letsencrypt/renewal-hooks/post
/etc/letsencrypt/renewal-hooks/pre
/etc/letsencrypt/renewal
/etc/letsencrypt/renewal/blog.oysteer.co.nz.conf
/etc/letsencrypt/live
/etc/letsencrypt/live/blog.oysteer.co.nz
/etc/letsencrypt/live/blog.oysteer.co.nz/chain.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/cert.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/README
/etc/letsencrypt/csr
/etc/letsencrypt/csr/0000_csr-certbot.pem
/etc/letsencrypt/keys
/etc/letsencrypt/keys/0000_key-certbot.pem
/etc/letsencrypt/.updated-options-ssl-apache-conf-digest.txt
/etc/letsencrypt/archive
/etc/letsencrypt/archive/blog.oysteer.co.nz
/etc/letsencrypt/archive/blog.oysteer.co.nz/cert1.pem
/etc/letsencrypt/archive/blog.oysteer.co.nz/privkey1.pem
/etc/letsencrypt/archive/blog.oysteer.co.nz/fullchain1.pem
/etc/letsencrypt/archive/blog.oysteer.co.nz/chain1.pem
/etc/letsencrypt/options-ssl-apache.conf
/etc/letsencrypt/accounts
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/b6075da11971a0c616ce77268c4ebead
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/b6075da11971a0c616ce77268c4ebead/meta.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/b6075da11971a0c616ce77268c4ebead/regr.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/b6075da11971a0c616ce77268c4ebead/private_key.json

Please advice what command i need to run to renew my certificate.

I see that the certificates are saved at following path:

/etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/privkey.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/cert.pem
/etc/letsencrypt/live/blog.oysteer.co.nz/chain.pem

Thanks


#14

Well, that’s good.

Your developer used Certbot to issue the certificate, so you should be able to fix the renewal fairly simply.

You need to figure out whether he used Certbot or certbot-auto. Try:

sudo find / -type f -name certbot -o -name certbot-auto 2>/dev/null

#15

for sudo find / -type f -name certbot -o -name certbot-auto 2>/dev/null

Output:

/opt/letsencrypt/certbot-auto
/opt/eff.org/certbot/venv/bin/certbot


#16

Great.

Try:

/opt/letsencrypt/certbot-auto certificates

and

/opt/letsencrypt/certbot-auto renew

#17

First command went well.

Second command (/opt/letsencrypt/certbot-auto renew), gave me following error:


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/blog.oysteer.co.nz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: blog.oysteer.co.nz
    Type: unknownHost
    Detail: No valid IP addresses found for blog.oysteer.co.nz

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: learn.oysteer.co.nz
    Type: tls
    Detail: remote error: tls: handshake failure

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Certbot client.


#18

So what’s the deal with this domain? Did you delete it/do you not want it anymore?


#19

We can actually remove one domain from that blog.oysteer.co.nz

This domain does not exist now


#20

I think you could try:

/opt/letsencrypt/certbot-auto --apache -d learn.oysteer.co.nz 

and if it asks you, issue a new certificate rather than using the existing one.