I have an old Debian 7.11 box that needs an SSL certificate renewed. I want to replace the existing, manually installed certificate issued by Comodo.
You can check the expiry date with something like:
echo | openssl s_client -connect pikedom.com:443 | openssl x509 -noout -dates
Given the age of the operating system and being EOF, I don’t want to use apt-get as its unlikely to work. Here I will install it manually with the assistance of acme.sh, which has zero dependencies. To install it:
curl https://get.acme.sh | sh
This will:
- Create a directory ~/.acme.sh/ where all certs will be stored.
- Create an alias for acme.sh=~/.acme.sh/acme.sh
- And create a cronjob to check and renew certs.
You can check the cronjob was created with:
root@nginx:~# crontab -l 55 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
As I already have a web server, Nginx, running, I will be using acme.sh in webroot mode. First I need to configure Nginx with a location directive for the LetsEncrypt certificate challenge to use.
root@nginx:~# vim /etc/nginx/snippets/letsencrypt-webroot
Make sure the web root is correct for you:
location /.well-known/acme-challenge/ {
alias /var/www/prod/.well-known/acme-challenge/;
}
Edit the main configuration file to make Nginx aware of this directive.
root@nginx:~# vim /etc/nginx/sites-available/pikedom.com.conf
Add the web root line:
server {
# Rewrite to correct server name
listen 443 ssl default_server;
...
...
# acme.sh dir
include snippets/letsencrypt-webroot;
}
}
Do a quick configuration test for errors:
root@nginx:~# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the Nginx service.
root@nginx:~# service nginx restart [ ok ] Restarting nginx: nginx.
You will also need to logout from your SSH session and then back in. Otherwise you’ll get a “command not found” error when trying to use acme.sh.
root@nginx:~# exit
Once logged back in, we can issue the certificates. Here I issue one covering two domains:
root@nginx:~# acme.sh --issue -d pikedom.com -d www.pikedom.com --webroot /var/www/prod/
If this was successful, you should see output similar to the following:
[Fri Jul 3 18:58:16 UTC 2020] Cert success. -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- [Fri Jul 3 18:58:16 UTC 2020] Your cert is in /root/.acme.sh/pikedom.com/pikedom.com.cer [Fri Jul 3 18:58:16 UTC 2020] Your cert key is in /root/.acme.sh/pikedom.com/pikedom.com.key [Fri Jul 3 18:58:16 UTC 2020] The intermediate CA cert is in /root/.acme.sh/pikedom.com/ca.cer [Fri Jul 3 18:58:16 UTC 2020] And the full chain certs is there: /root/.acme.sh/pikedom.com/fullchain.cer
Edit the main configuration file.
root@nginx:~# vim /etc/nginx/sites-available/pikedom.com.conf
And comment out the old entries and enter the following new entries:
server {
listen 443 ssl;
# Enable this if using HTTPS
add_header Strict-Transport-Security "max-age=63072000";
server_name www.pikedom.com;
...
## Server certificate and key.
ssl_certificate /var/www/prod/certs/pikedom.com.fullchain.pem;
ssl_certificate_key /var/www/prod/certs/pikedom.com.key.pem;
# disabled old entries:
#ssl_certificate /etc/ssl/certs/pikedom.com.comodo.fullchain.crt;
#ssl_certificate_key /etc/ssl/private/pikedom.com.comodo.key;
...
}
Check the configuration file for typos:
root@nginx:~# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
And finally restart nginx:
root@prod:~# service nginx restart [ ok ] Restarting nginx: nginx.
You can check the new cert with the below command from a Linux workstation.
echo | openssl s_client -connect pikedom.com:443 | openssl x509 -noout -dates
That’s it! The cert should renew every 60 days.
Be the first to comment