[Cloudflare – Letsencrypt] Renew SSL Certificate with Certbot

This Article assumes renewal of an existing SSL (Letsencrypt) Certificate with DNS managed by Cloudflare.

Renewal steps:

0. Preparation

  • Access to host where the cert has to be renewed
  • Access to Cloudflare to add a TXT record

1.Check Validity of the Certificate: In browser / SSL checker / openssl on host

Example: vpn.devops100.net

2. Run the certbot command to renew the SSL Certificate for vpn.devops100.net

# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.devops100.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for vpn.devops100.net

3. Place the DNS TXT record @ Cloudflare
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.vpn.devops100.net.

with the following value:

siuXXXXXXXXXXXXXXXXXXXXXXXAvrGgpAI

Before continuing, verify the TXT record has been deployed. 
Depending on the DNSprovider, this may take some time, from a few seconds to multiple minutes. 
You can check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.vpn.devops100.net.

Look for one or more bolded line(s) below the line ';ANSWER'. 
It should show thevalue(s) you've just added.




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/vpn.devops100.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/vpn.devops100.net/privkey.pem
This certificate expires on 2023-02-27.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. 
Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. 
To renew this certificate, repeat this same certbot command before the certificate's expiry date.

4. Check the TXT via Google Toolbox

 https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.vpn.devops100.net.

5. Restart the webserver after Certificate renewal.

# systemctl restart nginx.service
root@vpn-server:/etc/nginx/sites-available# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-11-29 20:05:59 UTC; 1s ago
       Docs: man:nginx(8)
    Process: 1757495 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 1757496 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 1757497 (nginx)
      Tasks: 2 (limit: 2280)
     Memory: 3.8M
     CGroup: /system.slice/nginx.service
             ├─1757497 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             └─1757498 nginx: worker process

Nov 29 20:05:59 vpn-server systemd[1]: Starting A high performance web server and a reverse proxy server...
Nov 29 20:05:59 vpn-server systemd[1]: Started A high performance web server and a reverse proxy server.

6. Check if the website has a valid certificate

7. Use an online SSL checker for final analysis