Renewing Let's Encrypt Certificate

by immontilla

In theory, there is no difference between practice and theory. In practice, there is.

Update
What I wrote here is no longer necessary. There is a new fix to apply. Read it here.

In theory, you just need to add /usr/local/sbin/certbot-auto renew as a weekly cron job in your server to renew your website certificate on time before it expires. However, in practice, this is not enough.

On June 11th, I received a warning email from "Let's Encrypt Expiry Bot" letting me know that my website certificate was about to expire. At first, I thought it was a privileges issue or something like that. To figure out exactly what went wrong, I logged onto my server, and run the command again. This is what I have found:

...
Failed authorization procedure. immontilla.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://immontilla.eu/.well-known/acme-challenge/....
...

Clearly, the issue was the http. In my nginx configuration, all http traffic is automatically redirected to https, which is a security recommended practice. That's why access to http://immontilla.eu/.well-known/acme-challenge/.... was not allowed and then, the process failed.

To solved it, I just needed to:

  1. Deactivate the redirection temporarily.
  2. Re-run the command.
  3. Activate the redirection again.

Those who followed my post Securing my Digital Ocean website with Let's Encrypt, do these in your server nginx.conf file:
1.Temporarily, deactivate the 301 redirection and add a rule to allow all at /.well-known path.

server {
    listen 80;
    server_name <your.domain.com>;
    location ~ /.well-known {
        allow all;
    }
    #return 301 https://$host$request_uri;
}

2.Restart nginx

sudo nginx -t  
sudo service nginx restart

3.Re-run the command.

/usr/local/sbin/certbot-auto renew

4.Activate the redirection again and comment out the rule for /.well-known path.

server {
    listen 80;
    server_name <your.domain.com>;
    #location ~ /.well-known {
    #    allow all;
    #}
    return 301 https://$host$request_uri;
}

5.Restart nginx

sudo nginx -t  
sudo service nginx restart

And that was all! Now, my Let's Encrypt certificate is 90 days longer valid.