Expired Certificate |
My most recent error was caused because certbot couldn't find the verification file that it placed on the server. I know this was caused by one of my rewrite rules in .htaccess but I really don't want to waste the time each month figuring this stuff out. It has become easier (for me anyway) to run certbot manually and just get it over with. It takes only 5 minutes and I no longer have to deal with random errors that take several hours to debug. So here's how I did it:
I first go to the directory where certbot is installed and run the certbot command with the manual directive as shown:
./certbot-auto certonly --manual
Certbot will now ask for the domain name like so:
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): xxx.example.com
You then get a notification that "the IP of this machine will be publicly logged as having requested this certificate." I answered Yes to this.
You now have to do the big manual step, which is super easy:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
FF-rvRhkGtfLbJIMPfFkkGtDprhPNoKUqHSk4CE.wgSrF1jAzY6T0ve4sdhUZZELm73swjwh
And make it available on your web server at this URL:
http://xxx.example.com/.well-known/acme-challenge/FF-KcrvRhGtfLbJIMfFkvCkGtDDIejijdiuef8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The easiest way to do this is to create the text file manually on your local machine and ftp it to the correct location on the server. Make sure your filename doesn't have any extensions. So in the case of the above the file name should be:
FF-KcrvRhGtfLbJIMfFkvCkGtDDIejijdiuef8
and it should only contain the string:
FF-rvRhkGtfLbJIMPfFkkGtDprhPNoKUqHSk4CE.wgSrF1jAzY6T0ve4sdhUZZELm73swjwh
(I have used a fake name and string above, but you will have your own generated by certbot, don't use the above ;) )
You should get a message that contains the following phrase:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.nogalis.com/privkey.pem
I had to wait about 10 minutes for some reason for Chrome to show the certificate was updated.
I know the point of certbot is to automate all this, but when you're having issues and you're in a rush to update the cert this should come in handy.