How to renew default let's encrypt ssl?


#1

Hello everyone i am using ghost’s default let’s encrypt ssl which i setup during installation on my website https://techhelper.me
Now it is going to expire soon so i would like to know that how can i renew it again?

Thanks


SSL Cert Expired
#2

It should auto renew with the scripts installed with the initial LE setup from “ghost cli”. You said you did the vanilla, default setup, correct?


#3

You may do that easily by the following command in nginx server ./certbot-auto --nginx

Ref : https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx


#4

Ghost CLI renews automatically the certificates. If it doesn’t you can run ghost setup ssl-renew. You can find more info in here:


#5

Hey @HauntedThemes
Thanks for your time and answer.


#6

Unfortunately the docs are a bit out of date - the ssl-renew command was removed a while back (even before the final 1.0 version I think), as we moved the CLI to rely on acme.sh’s (the ssl cert generator) default auto-renew setup.

However based on some of the issues I’ve seen crop up recently regarding ssl auto-renew (namely, that it hasn’t functioned completely as intended, I might look into adding a command that will force a renew/ensure auto-renew is setup properly.


#7

So wouldn’t it renew automatically?


#8

I would like an answer as well. :slight_smile:


#9

Hey @Ayu & @Jdruwe

it should happen automatically with acme.sh. See @acburdine’s comment:

To make sure, you can check, if your cron jobs are set up correctly:

Running sudo crontrab -l should output you something like this:

aileen@dev-aileen-01:/var/www/ghost$ sudo crontab -l
40 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

#10

This is not a direct answer, but another free alternative for HTTPS in your blog is to use cloudflare. They offer a free tier, and can enforce HTTPS, even with your ghost blog on just http


#11

Hey yes it have same output but the command you have given is wrong :slight_smile:
it should be
sudo crontab -l


#12

Oops… little typo :grimacing:


#13

I have a cron set to:

29 0 * * * “/etc/letsencrypt”/acme.sh --cron --home “/etc/letsencrypt” > /dev/null

But when I run ‘sudo certbot certificates’ I get:

Found the following certs:
Certificate Name: www.mysite.be
Domains: www.mysite.be
Expiry Date: 2018-04-26 08:29:20+00:00 (VALID: 22 hour(s))
Certificate Path: /etc/letsencrypt/live/www.mysite.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mysite.be/privkey.pem

Shouldn’t it renew every day?

If I manually run:

sudo sh /etc/letsencrypt/acme.sh --renew -d www.mysite.be

I get '‘www.mysite.be’ is not a issued domain, skip. Any ideas?


#14

@Jdruwe First things first - Ghost uses acme.sh to manage certs, not certbot. You’re running 2 different systems here but they are not interchangeable/compatible which is confusing matters.

Let’s try to unpick:

In order to list the certificates setup by Ghost, you would run the command:

/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --list

You can also do ls /etc/letsencrypt and you should see there a folder for each domain that has a cert.

Certbot is telling you that you have a certificate folder in /etc/letsencrypt/live/xxx instead of /etc/letsencrypt/xxx which suggests that perhaps Ghost didn’t setup these certs for you, but rather certbot did?

What do you see when you do /etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --list ?


#15

Main_Domain KeyLength SAN_Domains Created Renew
mysite.be “” no Tue Mar 27 00:29:07 UTC 2018 Sat May 26 00:29:07 UTC 2018
www.mysite.be “” no Tue Mar 27 00:29:14 UTC 2018 Sat May 26 00:29:14 UTC 2018\

Those seem correct


#16

Ok so good news! It seems that you do have certificates in place for your domain, and they are renewing as expected via acme.sh.

Next question is which certificate is nginx serving?

You should be able to look in /etc/nginx/sites-enabled/ and check that for your ssl configuration, the paths for ssl_certificate & ssl_certificate_key don’t include ‘live’.

To be absolutely certain, you can also restart nginx to make sure it is using the configuration you’re looking at (sudo nginx -t to validate the config first, then sudo nginx -s reload).

Then finally, the easiest way to check the right cert is being served is to open chrome -> visit your site -> open developer tools -> security tab. Hit the “View Certificate” button, and check the expiry date.

Hopefully you’re all set and can ignore the certbot certificates.


#17

I’have the following listed:

ssl_certificate /etc/letsencrypt/mysite.be/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/mysite.be/mysite.be.key;

And my certificate expiry date is somewhere late june according to chrome :slight_smile:

Thx for the help!


#18

Hi!

I ran the ‘cron’ command and it is there. My SSL certificate should have renewed yesterday as shown in ‘acme.sh’ list command, but it didn’t. I tried renewing it manually with acme.sh --renew -d www.viktoraron.com but got the error of ‘Invalid Response’ from the acme challenge. What could be the issue? I have tried deleting the SSL now and instead issued a new one; but the same error occurs. Both for the ‘ghost setup nginx ssl’ command and the ‘acme.sh --issue -d www.viktoraron.com’. Help would be very much appreciated!

@Aileen @Hannah


#19

Try running this command in your ghost directory.
ghost setup ssl


#20

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.