Let's Encrypt certificate expiration notice

Using /e/OS Self Hosting
1

Hi,
I got a “Let’s Encrypt certificate expiration notice” and didn’t take the time to try and renew it before it expired. When I triend renewing it using sudo certbot renew, sudo certbot --force-renew and sudo certbot renew --force-renewal I get “No renewals were attempted” or “Certbot doesn’t know how to automatically configure the web server on this system.”
Any suggestions how to update Lets Encrypt certificates?
Thanks,
Eric

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

1 Like
2

Hi,

If you installed your self-hosted using provided scripts, you should have an automated renewal in your /var/spool/cron/crontabs/root (reference: https://gitlab.e.foundation/e/infra/ecloud-selfhosting/-/blob/master/deployment/salt/base/docker-compose.sls?ref_type=heads).
This should provide you with a /var/log/letsencrypt/letsencrypt-cron.log log file (logrotate’d).
You can check if it’s active with journalctl -t CRON -g ssl.

As you can see we use a custom configuration file, not the default at /etc/letsencrypt/. That’s why your manual commands are failing.

You can run the script manually, I recommend to use sudo su - before :wink:

If you added or changed something in nginx configuration (like adding a site configuration with a new DNS subdomain), you may have to stop/start the nginx container:

  • sudo su -
  • cd /mnt/repo-base
  • docker-compose stop nginx
  • bash scripts/ssl-renew.sh
  • docker-compose up -d

As a side note, to have automatic renewal working you must have this in every nginx site configuration file:

server {
    listen 8000;
    server_name YOU_DNS_DOMAIN_OR_SUBDOMAIN;
    location /.well-known/acme-challenge/ {
        alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

Example reference: https://gitlab.e.foundation/e/infra/ecloud-selfhosting/-/blob/master/templates/nginx/sites-enabled/welcome.conf?ref_type=heads.
And of course, 80/TCP HTTP port enabled for nginx in /mnt/repo-base/docker-compose.yaml:

  nginx:
    image: nginx:stable-alpine
    container_name: nginx
    restart: unless-stopped
    networks:
      - default
    ports:
      - "80:8000"
      - "443:4430"
3

I am getting a “Connection refused” when "fetching …/.well-known/acme-challenge/… temporary challenge files. This is probably why it didn’t automatically update the certificates in the first place. I tried it twice, so I am not sure if it will work again until 7 days. (Let’s Encrypt limit if it actually made a certificate, but I don’t think it did. I will reinstall next week, and then check to see if everything is correct for auto renewal.
Thanks

1 Like
4

This topic was automatically closed after 90 days. New replies are no longer allowed.