This Article assumes renewal of an existing SSL (Letsencrypt) Certificate with DNS managed by Cloudflare.
Renewal steps:
0. Preparation
- Access to host where the cert has to be renewed
- Access to Cloudflare to add a TXT record
1.Check Validity of the Certificate: In browser / SSL checker / openssl on host
Example: vpn.devops100.net
2. Run the certbot command to renew the SSL Certificate for vpn.devops100.net
# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.devops100.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for vpn.devops100.net
3. Place the DNS TXT record @ Cloudflare
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.vpn.devops100.net.
with the following value:
siuXXXXXXXXXXXXXXXXXXXXXXXAvrGgpAI
Before continuing, verify the TXT record has been deployed.
Depending on the DNSprovider, this may take some time, from a few seconds to multiple minutes.
You can check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.vpn.devops100.net.
Look for one or more bolded line(s) below the line ';ANSWER'.
It should show thevalue(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/vpn.devops100.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vpn.devops100.net/privkey.pem
This certificate expires on 2023-02-27.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically.
Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided.
To renew this certificate, repeat this same certbot command before the certificate's expiry date.
4. Check the TXT via Google Toolbox
https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.vpn.devops100.net.
5. Restart the webserver after Certificate renewal.
# systemctl restart nginx.service
root@vpn-server:/etc/nginx/sites-available# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-11-29 20:05:59 UTC; 1s ago
Docs: man:nginx(8)
Process: 1757495 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1757496 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 1757497 (nginx)
Tasks: 2 (limit: 2280)
Memory: 3.8M
CGroup: /system.slice/nginx.service
├─1757497 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─1757498 nginx: worker process
Nov 29 20:05:59 vpn-server systemd[1]: Starting A high performance web server and a reverse proxy server...
Nov 29 20:05:59 vpn-server systemd[1]: Started A high performance web server and a reverse proxy server.
6. Check if the website has a valid certificate
7. Use an online SSL checker for final analysis
