Renew Expired SSL Certs

David OravskyMay 29, 2019 - 10 min read153 VIEWS
Last Updated - Sep 23, 2021
Summary : In this tutorial, you will learn how to manually renew your expired SSL certificates and also how to automatically renew SSL certificates with Apache or NGINX from Let’s Encrypt prior to their expiration date.

Introduction

SSL certificates do not last forever. Most of them need to be updated on an annual cycle, and sometimes you want to change the type of the SSL certificate in the middle of the cycle. For many developers, this may be the first time that they must get their hands dirty on a server, and they may find the whole prospect of .key and .crt files a little challenging.

Let’s Encrypt has literally changed the way we get, install and use SSL certificates. Thanks to automated procedures, as you will see in a few seconds, everyone can get free SSL certificates from Let’s Encrypt and install them in a matter of minutes, automatically.

Prerequisites

  • know about Let’s Encrypt.
  • have basic command line skills.
  • know about SSL.
  • have shell access (direct or SSH) to your web server.
  • already have a web server up and running.
  • already have configured a firewall to open ports 80 and 443.
  • own the domain name(s) you will configure (if not don’t try to obtain a certificate…)

Obtaining a Certificate

Step zero in all of this - obtaining your certificate.  

Comodo Positive and Let’s Encrypt are the two most popular providers of SSL certificates currently used on the Internet.  You can get a Comodo Positive SSL certificate issued for up to two years, while a Let’s Encrypt SSL certificate expire every 90 days.  Although this is 8 times more installations, if you follow the free route, this guide will show you how you can automate this process and you will never have to worry about it. 

This guide will not cover this in detail, but if you need help, check out this guide

Manual Installation

1. Check SSL cert valid date

openssl x509 -in domain.crt -noout -enddate

2. Transfer the new certificate files

This step depends on who your SSL service provider is. I get this service from DigitalOcean and need to go to DigitalOcean to get new .crt files. There are two .crt files which you need to download.

Then you need to use the SCP command to copy these files to your server. If you forget the target location, simply go to your NGINX’s configuration file and check the ssl_certificate parameter.

ssl on;
ssl_certificate /etc/ssl/domain.crt;
ssl_certificate_key /etc/ssl/domain.key;

The ssl_certificate is your primary certificate; ssl_certificate_key must be a key file generated when creating a CSR (Certificate Signing Request).

NOTE: You will only update the expired SSL certificate, you do not need to do anything with the key file.

3. Concatenate the SSL and intermediate certs

You need to backup or delete the existing expired domain .crt first and then concatenate the two new certs. 

cat 29393****.crt gd_bundle-g2-g1.crt >> domain.crt

4. Update NGINX config file

If you change the location of your SSL certificates, you need to update NGINX to know where they are.  Find the NGINX configuration file and enter the full path to the your_domain_com.crt SSL certificate and private key files.

http { 
 server { 
    listen               443; 
    ssl                  on; 
    ssl_certificate      /usr/local/nginx/conf/your_domain_com.crt; 
    ssl_certificate_key  /usr/local/nginx/conf/private.key; 
    keepalive_timeout    70; 
 } 
}

Since NGINX version 0.7.14 the preferred way of enabling SSL is by using the ssl parameter of the listen directive:

server { 
    listen 443 default ssl; 
    ssl_certificate      /usr/local/nginx/conf/your_domain_com.crt; 
    ssl_certificate_key  /usr/local/nginx/conf/private.key;   
    ... 
}

5. Test NGINX config

After making changes to the configuration file, it is recommended to check the file for syntax errors before restarting NGINX. The following command will determine if there are any errors:

sudo nginx -t -c /etc/nginx/nginx.conf

6. Restart NGINX

New configuration changes require a restart of the server. Use the following command to restart the NGINX server:

sudo nginx -s reload

7. Verify installation

Check your SSL certificate using a browser to connect to your server using the https protocol. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com in your browser.

Your browser's padlock icon will be displayed in a locked position if your certificate is installed correctly and the server is properly configured for SSL.

Padlock in browser URL bar shown for secured sites.

Automated Installation

Installing an SSL certificate can be complicated but using the Let's Encrypt Certbot client makes the whole process extremely simple.

1. Install CertBot client

Before you automate the Let’s Encrypt certificate renewal, you need to install Certbot. Certbot is the official Let’s Encrypt client and the easiest way to get a certificate. After connecting to your web server, open a terminal and type the commands appropriate for your CentOS installation:

sudo yum install epel
sudo yum install certbot

Now you need to install the plugin associated with your web server, this step is only for CentOS 7

Certbot currently supports several plugins.

Apache:

sudo yum install certbot-apache

NGINX:

sudo yum install certbot-nginx

Alternate installation methods

If you are offline or your operating system does not provide a package, you can use an alternative method to install Certbot.

Certbot-Auto

The certbot-auto shell script installs Certbot, getting some dependencies on your web server’s OS and putting others in a Python virtual environment. You can download and run it as follows:

wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto

The certbot-auto command automatically updates to the latest client release. Since certbot-auto is a wrapper for certbot, it takes the same command line flags and arguments. For more information, see Certbot command-line options.

For complete command line help, you can type:

/usr/local/bin/certbot-auto --helpall

You can verify that it was installed correctly by issuing the ls command to view the package.

After you locate your certbot-auto package, the next step is to move the certbot-auto package to the /etc/letsencrypt/ directory.

sudo mv certbot-auto /etc/letsencrypt/

2. Setup Let's Encrypt certificate

If your website is running a web server with a supported plugin, you can use Certbot to automatically obtain and install a certificate.

Apache:

sudo certbot --apache

NGINX:

sudo certbot --nginx

The interactive procedure will guide you through all the information needed to sign the certificate. If you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.

If you do not trust Certbot to automatically install a certificate, you can generate only a certificate (and install it manually later) using the certonly parameter:

sudo cerbot --apache certonly

Here’s the output for a successful certificate issued:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
expire on DATE. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

3. Automating renewal with cron

Whatever procedure you follow, you now have a certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or automate the process using cron and the Certbot client.

Before setting up the automatic renewal process, you can test with the following command:

sudo certbot renew --dry-run

If the certificate is installed correctly and everything is in order, near the end you will receive a message like this, and you can continue:

** DRY RUN: simulating 'certbot renew' close to cert expiry 
** (The test certificates below have not been saved.)

Congratulations, all updates completed successfully. The following certificates have been renewed:

/etc/letsencrypt/live/YOURSITE/fullchain.pem (success)

If you installed the Certbot package using apt – Good news! You do not need to configure Certbot cron because it is already configured for you!

If you installed Certbot manually (for CentOS 6) – You will have to set up Certbot cron manually, but do not be afraid! This is an easy set-and-forget procedure!

To open your crontab file, execute the following command:

sudo crontab -e

Now that you have opened your crontab file, the next step is to add a script to the bottom of the crontab file that will run once a week and automatically renew the SSL certificates if they are about to expire.

Apache:

45 2 * * 6 cd /etc/letsencrypt/ && ./certbot renew && /etc/init.d/apache2 restart

NGINX:

45 2 * * 6 cd /etc/letsencrypt/ && ./certbot renew && /etc/init.d/nginx reload

4. Basic auto-renew testing

To test the automatic update script for errors, you can quickly perform a 'dry run' - a process in which the automatic update script will run without renewing the certificates. To perform a 'dry run', execute the following two commands:

Apache:

sudo -i  
cd /etc/letsencrypt/ && ./certbot renew --dry-run && /etc/init.d/apache2 restart

NGINX:

sudo -i  
cd /etc/letsencrypt/ && ./certbot renew --dry-run && /etc/init.d/nginx reload

Congratulations! You have successfully configured your Let's Encrypt SSL certificates to automatically renew before they expire.

If you want to test the renewal process, go to the next step (optional). Since the script updates the certificates one month before the expiration date, you can use a SSL Checker to verify if the certificates have been successfully updated.

5. (Optional) Advanced auto-renew testing

In this optional test section of the tutorial, you will learn how to use the --force-renew command to simulate certificate renewal in a real environment.

To get started, check the current date and time on your web server. To do this, issue the date command.

Checking current date of CentOS server.

Write down the date and time - either paste it into Notepad or write it down on a piece of paper. For example, I would write down 15:34:44.

5.1. Check current expiry date

Now that you recorded your system's current date and time, the next step is to check if your certificate is currently set to expire. To do this, execute the following command:

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem

Note: Make sure to replace example.com with your own domain name.

Output from checking SSL certificate expiration.

Preliminary checking of the expiration date of your SSL certificate will allow you to check if the auto-update script works correctly. 

Remember the date and time when the certificate was issued - either paste it into Notepad or write it down on a piece of paper.

Based on the above example, I would write down 18:04:49.

5.2. Force Crontab script

Run the command sudo crontab -e to re-open your crontab file.

In this example, the date and time stamp of my web server showed 15:34:44. So, I would like the auto-renew script to execute a few minutes after 15:34:44 at 15:39:00.

Changing the renew command to run at 15:59.

To test the auto-renew script, you will need to temporarily change the script time and renew command. The numbers under m and h represent the time (minute and hour) when you want the script to execute (15:59:00 in the image above).

Apache:

59 15 * * * cd /etc/letsencrypt/ && ./certbot renew --force-renew && /etc/init.d/apache2 restart

NGINX:

59 15 * * * cd /etc/letsencrypt/ && ./certbot renew --force-renew && /etc/init.d/nginx reload

After the time at the beginning of the script (in this example, 15:59), check the system log to ensure that the script has been successfully executed.

To check the system log, navigate to the log directory by running cd /var/log/.

Next, print your system log to your screen by executing the command cat syslog.

If your test is successful, you will notice that the crontab script appears in your Apache or NGINX system logs, indicating whether the script was successfully executed.

5.3. Check if renewal was successful

To check if the renewal was successful, return to your home directory by running the command cd, then run the following command, replacing example.com with your domain name.

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem

After running the auto-renew Certbot script, you should notice that the expiration dates of your SSL certificate have changed and have moved to 3-months in the future.

It is also recommended to double-check with an online SSL certificate checker to make sure that your updated certificates are recognized.

5.4. Revert crontab script to default

Now that testing is complete, remember to change your crontab script to its default value from step 3 of this tutorial! The original crontab script was set to execute every Saturday at 2:45am.

Conclusion

Now that you have configured auto-renewal for your Let's Encrypt SSL certificates, you no longer need to worry about updating them again!

If you have any questions or comments about this tutorial, please leave them below.

Additional Reading

Author : David Oravsky

Full-stack engineer, avid gamer and founder of Techievor.  I've been building websites, applications, and video games since 1998 and currently focusing on JavaScript and Unity with .NET technologies.

Feb 25, 2019
Tags :#SSL#Nginx#Apache#Lets Encrypt#CertBot

Techievor

Months

  • 2019
  • 2020
  • 2021

Tags