In theory, there is no difference between practice and theory. In practice, there is.
Update
What I wrote here is no longer necessary. There is a new fix to apply. Read it here.
In theory, you just need to add /usr/local/sbin/certbot-auto renew as a weekly cron job in your server to renew your website certificate on time before it expires. However, in practice, this is not enough.
On June 11th, I received a warning email from "Let's Encrypt Expiry Bot" letting me know that my website certificate was about to expire. At first, I thought it was a privileges issue or something like that. To figure out exactly what went wrong, I logged onto my server, and run the command again. This is what I have found:
...
Failed authorization procedure. immontilla.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://immontilla.eu/.well-known/acme-challenge/....
...
Clearly, the issue was the http. In my nginx configuration, all http traffic is automatically redirected to https, which is a security recommended practice. That's why access to http://immontilla.eu/.well-known/acme-challenge/.... was not allowed and then, the process failed.
To solved it, I just needed to:
- Deactivate the redirection temporarily.
- Re-run the command.
- Activate the redirection again.
Those who followed my post Securing my Digital Ocean website with Let's Encrypt, do these in your server nginx.conf file:
1.Temporarily, deactivate the 301 redirection and add a rule to allow all at /.well-known path.
server {
listen 80;
server_name <your.domain.com>;
location ~ /.well-known {
allow all;
}
#return 301 https://$host$request_uri;
}
2.Restart nginx
sudo nginx -t
sudo service nginx restart
3.Re-run the command.
/usr/local/sbin/certbot-auto renew
4.Activate the redirection again and comment out the rule for /.well-known path.
server {
listen 80;
server_name <your.domain.com>;
#location ~ /.well-known {
# allow all;
#}
return 301 https://$host$request_uri;
}
5.Restart nginx
sudo nginx -t
sudo service nginx restart
And that was all! Now, my Let's Encrypt certificate is 90 days longer valid.