How to renew lets encrypt ssl after 3 months in digital ocean

Sure!

What might be a little confusing is:

  1. acme.sh can be installed in different places.
  2. You might or might not login to your server as the user root.

First, you should figure out where acme.sh is installed on your system/server/computer. Connect to a shell on your server from a terminal program – probably (and hopefully) via ssh. I thought you should be able to run whereis acme.sh but that doesn’t work for me. On my server, acme.sh is installed under /etc/letsencrypt/ but I noticed someone else in an earlier comment mentioned that for them (and presumably their server), it’s installed in /root/.acme.sh. You should be able to confirm that the file acme.sh exists via ls; from my server:

kenny@some-server:~$ sudo ls /etc/letsencrypt/
account.conf  acme.sh  acme.sh.env  ca	deploy	dnsapi	http.header  notify  renewal-hooks  example.com

example.com above is a directory for a dummy example domain name. (I edited the output to strip my site’s name from it.)

I’m going to assume acme.sh is installed under /etc/letsencrypt/.

Next, let’s upgrade acme.sh.

I ran this and it seemed to work fine for me:

$ sudo /etc/letsencrypt/acme.sh --upgrade --home "/etc/letsencrypt"

But acme.sh apparently doesn’t like being run via sudo, so – if you login to your server as a user OTHER than root, you could run these three commands:

$ sudo su
$ /etc/letsencrypt/acme.sh --upgrade --home "/etc/letsencrypt"
$ exit

The first command will effectively ‘log you in’ as root.

(Note that you could skip the last command until later; see below. But if you do skip running exit, make sure to run it after renewing your certs or sometime soon thereafter.)

Then, upgrade your site’s acme.sh config file. Assuming your site’s domain name is example.com, the config file should be at /etc/letsencrypt/example.com/example.com.conf.

You need to change the host for three URLs in three config variable values in this file; the config variables:

  • Le_API
  • Le_LinkCert
  • Le_LinkIssuer

Example line for the first value:

Le_API='https://acme-v01.api.letsencrypt.org/directory'

Change the URL so the line looks like this (i.e. replace the 1 with a 2):

Le_API='https://acme-v02.api.letsencrypt.org/directory'

Make the same change for the other two values.

Now you could either wait for the existing cron job to run or you could manually renew your site’s certificates now. The rest of this comment will cover the latter, i.e. manually renewing the certs.

If you do NOT login to your server as the root user (which, generally, you shouldn’t), you should first run:

$ sudo su

(Even if you do NOT login as root, you can skip this if you ran it in the step above.)

Then renew the certs:

$ /etc/letsencrypt/acme.sh --cron --home "/etc/letsencrypt"

If you ran sudo su before, run exit now to ‘logout’ as root.

That should be it. But of course computers are (often) pretty complicated and any of the above might not work for you for one of many reasons.

1 Like