I manually got and set up an certificate for my web server at Login - SslForWeb .
I knew the certificate expires and I would have to renew it, but I was expecting some way to renew it on the website. I am currently at 6 days left on the certificate and the only action the website allows me to do now is view the SSL. Nothing related to renewing that I have found.
I have been getting emails on the expiration and I noticed that it was sending me to this site, so I am posting here looking for more information. I have looked around some but I am still confused.
Can I manually renew my expiring SSL, or am I required to set up the tool I have seen mentioned that will auto-renew the certificate?
You shouldn't use that terrible, possibly unsafe and with privacy invading advertisements loaded website..
That said, without knowing your exact website setup, it's next to impossible to advise you to something better, as that depends on the setup. So I'm going to ask you to fill out the following questionnaire:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I did get the help section you mentioned, but I didn't think it would apply here since my question was more on the website which was independent of my setup.
I have provided the questionnaire below, but does this mean that website doesn't allow for renewals? Also, is your concern over the website just for advertisements, or are you saying it does somewhat nefarious things with the SSL or my profile information?
My web server is (include version): I mainly use apache 2.4.52 and php 7.4.33
The operating system my web server runs on is (include version): Ubuntu 22
My hosting provider, if applicable, is: Self?
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a?
I ran this command:
I set up the ssl manually. I added files under /etc/ssl/certs/ and /etc/ssl/private/, added the ssl to /etc/apache2/sites-available/default-ssl.conf , ran sudo sudo a2enmod ssl , and then restarted apache.
Technically, a renewal is just a brand new certificate for the same set of hostnames. But I wouldn't use that website anyway.
Such websites usually make the claim the private key is generated in the browser and never send to the website, but you should really make sure the latter doesn't actually happen. E.g. by reviewing the source code of the entire website. Also, you can never automate cert issuance through those websites and Let's Encrypt is all about automation: set it up once and forget about it.
If you're running nothing fancy with Apache on a self-hosted Ubuntu, why not try Certbot? See https://certbot.eff.org/ for more info and instructions. Once properly set up, Certbot will take care of everything.
Technically, a renewal is just a brand new certificate for the same set of hostnames
This is where my confusion was. I thought there was an actual renewal process where the certificate doesn't need to be changed, but was starting to think that wasn't the case.
why not try Certbot?
I never heard of it until this forum. When I started down this path, google returned a website with some step by step documentation and referenced the SSL for Web website. I don't remember seeing anything for certbot before now.
You might also review at least the Getting Started topic at Let's Encrypt. The other topics on Challenge Types and Keeping Port 80 Open are often helpful.
No, that's not possible. The "start" and "end" dates of a certificated are embedded within the cert and the cert is cryptographically signed by a private key of the CA, which is only accessible by the CA (for obvious reasons).
So certificates are "one time use only" so to say.
The term "renewal" is just something "made up" to differentiate between an entirely new certificate or just a new certificate almost identical to the old one, but with some (but important) differences (serial number, dates, signature and often the public key also differs, as it's being rotated).