Skip to content

Instantly share code, notes, and snippets.

@manifestinteractive

manifestinteractive/fix-ssl-certs.md

Created October 12, 2017 22:42
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save manifestinteractive/110b8c3e886ff7d9500cef779a237532 to your computer and use it in GitHub Desktop.
Save manifestinteractive/110b8c3e886ff7d9500cef779a237532 to your computer and use it in GitHub Desktop.
Download ZIP
Fix Let's Encrypt Failing Certificates
Raw
fix-ssl-certs.md

Fix Let's Encrypt Failing Certificates

For some reason, sometimes Let's Encrypt just has a hard time renewing SSL certificates and you might need to recreate them. Here is the process I take to get things back up and running fairly quickly with Digital Ocean Nginx Servers.

Check Issues

Change to Let's Encrypt directory:

cd /opt/letsencrypt

Check which certificates are having issues:

./letsencrypt-auto renew

Remove Broken Certificates

Run the following command, then pick from the list of certificates to delete the ones you are having problems with.

./letsencrypt-auto delete

Temporarily change HTTPS to HTTP

Edit ngxinx config file to use HTTP:

sudo nano /etc/nginx/sites-available/mydomain.com

Here you will want to comment out any lines that look like this:

listen 443 ssl http2;
listen [::]:443 ssl http2 ipv6only=on;
include snippets/ssl-mydomain.com.conf;
include snippets/ssl-params.conf;

and replace them with just this

listen 80;
listen [::]:80 ipv6only=on;

Check that the config file edits did not break anything:

sudo nginx -t

You should get something that looks like this:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx:

sudo systemctl restart nginx

Recreate SSL Certificates

Once you have restarted nginx, you can recreate the certificates:

sudo ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/mydomain.com -d mydomain.com -d www.mydomain.com

You will know this worked when you see something like:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2018-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If you do not see this, make sure you do not have Basic Authentication or some other configuration setup that would prevent outside access to your website.

Revert HTTP back to HTTPS

Edit ngxinx config file to use HTTP:

sudo nano /etc/nginx/sites-available/mydomain.com

Just undo everything you did before ;)

Check that the config file edits did not break anything:

sudo nginx -t

You should get something that looks like this:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx:

sudo systemctl restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment