How to delete or renew Letsencrypt Certificate

I Normally we will let issues certificate to expire as per timeline but sometimes we might have to revoke or delete the SSL certificate. Please follow below steps to do so.

Checking where files are stored.

Let us go to/etc/letsencrypt and you will find following folder structure

/etc/letsencrypt$ ls -la
total 56
drwxr-xr-x  9 root root 4096 Aug 19 17:12 .
drwxr-xr-x 99 root root 4096 Aug 15 06:39 ..
drwx------  4 root root 4096 May  1 12:24 accounts
drwx------  8 root root 4096 Aug 19 12:27 archive
-rw-r--r--  1 root root  121 Mar 21 10:24 cli.ini
drwxr-xr-x  2 root root 4096 Aug 19 12:27 csr
drwx------  2 root root 4096 Aug 19 12:27 keys
drwx------  8 root root 4096 Aug 19 12:27 live
-rw-r--r--  1 root root 1143 May  1 11:50 options-ssl-nginx.conf
drwxr-xr-x  2 root root 4096 Aug 19 12:27 renewal
drwxr-xr-x  5 root root 4096 May  1 11:50 renewal-hooks
-rw-r--r--  1 root root  424 May  1 11:50 ssl-dhparams.pem
-rw-r--r--  1 root root   64 May  1 11:50 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--  1 root root   64 May  1 11:50 .updated-ssl-dhparams-pem-digest.txt

I tried to access account and archive folder but it did not let me

/etc/letsencrypt$ cd accounts/
-bash: cd: accounts/: Permission denied

Let us find where required domains are stored

/etc/letsencrypt$ sudo find /etc/letsencrypt/ -name "*techtrekking*"
/etc/letsencrypt/archive/techtrekking.net
/etc/letsencrypt/live/techtrekking.net
/etc/letsencrypt/renewal/techtrekking.net.conf

Deleting the required certificate

sudo certbot delete is the simple command to delete certificates.

/etc/letsencrypt$ sudo certbot delete 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
-------------------------------------------------------------------------------
1: mydomain.com
2: mydomain.com
3: mydomain.me
4: techtrekking.net
5: mydomain.com
6: mydomain.me
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4

-------------------------------------------------------------------------------
Deleted all files relating to certificate techtrekking.net. ------------------------------------------------------------------------------- 

How to renew letsencrypt certificate manually

Is the simpler that i thought. simply run command sudo certbot renewand it will renew whichever certificate is due for renewal. For others, you will get message that that domain is not due for renewal yet.

/etc/letsencrypt$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.me.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.me.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2018-09-28 (skipped)
  /etc/letsencrypt/live/mydomain.me/fullchain.pem expires on 2018-11-09 (skipped)
  /etc/letsencrypt/live/techtrekking.net/fullchain.pem expires on 2018-09-28 (skipped)
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2018-11-17 (skipped)
  /etc/letsencrypt/live/mydomain.me/fullchain.pem expires on 2018-11-09 (skipped)
No renewals were attempted.

How to setup cron job for Let’s Encrypt SSL renewal

Lets encrypt is great tool. It provides free SSL certificate but this certificate comes with validity of 90 days  and to make sure you do not run out of SSL certificate validity, you need to renew SSL certificate every 90 days.

As per this post from Lets Encrypt forum, it will process renewal request 30 days prior to date of expiration so it make sense to schedule a cron  job which will run every month to ensure all certificates are valid all the time.

Open cronjob file using following command

sudo crontab -e

When you run this command for the first time, it will ask you to choose editor

no crontab for root - using an empty one

Select an editor. To change later, run 'select-editor'.
1. /bin/ed
2. /bin/nano <---- easiest
3. /usr/bin/code
4. /usr/bin/vim.tiny

Choose 1-4 [2]:

You can choose any editor that you are comfortable with. I chose second option. It will open file having following content.

#Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command

add following line at the end and save it. (This will run cron job @ 00:00 hr on 1st of every month)

0 * 1 * * /usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"

That’s it, you are all set.

You can use cron job tool https://crontab.guru/ to cross check the schedule

Verification.

To check if this is working, you can change schedule as below (It will run cronjob every minute.

* * * * * /usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"

 

How to check cron job logs

sudo grep CRON /var/log/syslog

This will show the logs as below

May 1 11:56:01 ubuntu-512mb-server CRON[8519]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:57:01 ubuntu-512mb-server CRON[8594]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:58:01 ubuntu-512mb-server CRON[8616]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 11:59:01 ubuntu-512mb-server CRON[8624]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")
May 1 12:00:01 ubuntu-512mb-server CRON[8631]: (root) CMD (/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx")

If you are running into any issues, please do let me know

How to add SSL and HTTPS to WordPress

SSL certificates makes your website more trustworthy to readers and it highly likely that your will spend more time or trust your content more when he sees ‘Secure’ in green in address bar. Not just this, search engine provider give higher rank to secure sites as compared to non secure websites. You can follow below steps to make your WordPress website “Secure” at not extra cost.

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates,

Step#1 Install Certbots

sudo add-apt-repository ppa:certbot/certbot

Update packages

sudo apt-get update

Install certbost nginx package

sudo apt-get install python-certbot-nginx

Step#2 Configure NGINX

Most likely this is already configured. Just ensure your host names are updated corrected as below.

server_name example.com www.example.com;

Verify NGINX syntax and restart it.

sudo nginx -t

sudo systemctl reload nginx

Step#3 Allow HTTPS through firewall.

sudo ufw allow 'Nginx Full'

Once this is done, you can check what all is allowed

sudo ufw status

Step#4 Obtain SSL Certificate.

Use following command to obtain SSL certificate. It will ask for email ID where notifications will be sent.

sudo certbot --nginx -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Once your enter email ID and hit enter, it will ask for few usual confirmations.

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Once this is done, it will ask about redirect . Please find below sample example for this site.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for techtrekking.net
http-01 challenge for www.techtrekking.net
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/techtrekkingnet
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/techtrekkingnet

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/techtrekkingnet
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/techtrekkingnet

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://techtrekking.net and
https://www.techtrekking.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=techtrekking.net
https://www.ssllabs.com/ssltest/analyze.html?d=www.techtrekking.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/techtrekking.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/techtrekking.net/privkey.pem
Your cert will expire on 2018-07-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

Step#5 Configuring WordPress

Once you have this these changes, making sure your WordPress is compatible with this changes is must. Although  I did not face any issue even after not making changes in WordPress, I recommend you do it.

WordPress Address Configuration for SSL

Although it is not mandatory, please restart your NGINX server. Once done, when you access your website, you will see “Secure” in green. Just like below.

WordPress SSL

This SSL certificate is valid for 90 days, please refer to this post to see how to set up cron job renewal of Let’s Encrypt SSL Certificate