Sign in Subscribe
Admin

"Certbot, help me..."

Mark Servilla

3 min read

I love navigating the unknown, and dealing with SSL certificates for me falls into this category. The scenario I will describe involves flipping HTTPS sites from one server (read IP address) to another when unexpected outages requires DNS to stay alive. So when our primary and public facing website went offline due to a institutional network failure (actually, all of our infrastructure went dark), we had to scramble up a temporary website at AWS that explained the situation to our customers. The consternation rose a notch higher since modern browsers complain loudly at displaying content over non-encrypted lines, thereby making a simple HTTP site not acceptable. With these being the stakes, I am so very glad for LetsEncrypt and their trusty Python application Certbot.

Assume you have a web server (NGINX, for example) and are already running a web site with a LetsEncrypt certificate installed – all is hunky dory at https://somesite.org. Now you are tasked with adding another web site that is using a completely different domain, say https://anothersite.org. Step 1: add the appropriate NGINX configuration and make it available in /etc/nginx/sites-enabled (for a Deb-based OS) – in this case, I have /etc/nginx/sites-enabled/anothersite.conf in addition to the original /etc/nginx/sites-enabled/somesite.conf. Step 2: make sure NGINX is happy with an nginx -t for testing the configuration, followed by systemctl restart nginx.service to make it active. Now for the certificate business. Adding a new domain is the simple direction:

certbot --nginx -d somsite.org -d anothersite.org

Certbot will respond with a refreshingly simple question:

Plugins selected: Authenticator nginx, Installer nginx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/somesite.org.conf)

It contains these names: somesite.org

You requested these names for the new certificate: somesite.org anothersite.org.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel:

Selecting E will expand the certificate's domain validation to include anothersite.org. You are now ready to use your new web site. In our case, this was for a short period of time while our institution got its shit together.

Removing the anothersite.org domain from the certificate is not quite so simple. Let me pause here for a second and say that there may certainly be an easier way of reverting the certificate to its original state, but the following is what I had to do, which effectively means you must delete the existing certificate and rebuild it from scratch with the single domain. This also means that cerbot will expect the NGINX configuration without any reference to SSL – in other words, you will need to remove the reference to the now non-existent certificate out of the NGINX web site configuration ( /etc/nginx/sites-enabled/somesite.conf in this example) - not a big deal, but it could leave you stymied first time through this exercise. Step 1: issue the certbot delete command, which will, again, present to you a simple question asking what certificate you would like to delete:

certbot delete
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: somesite.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Step 2: regenerate the certificate (remember that you must have a clean NGINX configuration - one without the SSL references):

certbot --nginx -d somesite.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

That's it. With the new certificate regenerated, you can now navigate to /etc/letsencrypt/live/somesite.org and ensure all looks good by using openssl to view the certificate:

openssl x509 -noout -text -in cert.pem

Sign up for more like this.

Enter your email
Subscribe