letsencrypt renewal

I set up letsencrypt SSL for http://www.somebits.com awhile ago. When I installed it in early January, there was no way to renew the certs and they expired in 3 months. Happily they’ve added a simple renewal command which mostly worked. The first time I ran it I got an error “DNS problem: query timed out looking up CAA” but I just ran it a second time and it worked.

Happily the certificate renewal didn’t touch my Apache config at all, just updated the certificate.

I took the opportunity to fix some redirects in the SSL version of my site config so they redirected to https://, not http://. I’m further regretting the way I have two versions of my Apache config, some 90 lines of complicated redirects and crap now duplicated. And now edited a tiny bit, to preserve SSL. I should refactor all that but IIRC it’s complicated.

I’m a little scared to have enabled SSL without fully committing to it. I suspect Google will start preferentially serving the SSL links, so what happens if I forget to update the letsencrypt certs? So far Google isn’t serving the SSL links though, I wonder if my siteindex URLs (no https) overrides their preference for SSL.

One thought on “letsencrypt renewal

  1. For working with letsencrypt certificates, I would suggest taking a look at acmetool (https://github.com/hlandau/acme). It’s a single binary, supports a number of different configurations and specifically for your requirement, installs a cronjob that will automatically renew certificates (and reload the web server) when the certificate is 2/3rds of the way through the validity period.

Comments are closed.