When you followed along with my series of blog posts on the Best and Cheapest Oracle APEX hosting: Free Oracle Cloud you most likely will have gotten an email from Let's Encrypt that your certificate is due for renewal.
To check your certificate, go to your site in a browser and click on the lock:
Yep, corresponds to the email, in 10 days my certificate will expire.
Let's get this fixed! So connect with ssh to your Compute instance (see the previous post in the series if you forgot those commands).
When I connect to my machines I typically first run yum update to get the latest packages installed so we are current with security patches, or just, in general, keep up with the latest software.
sudo su (to become root)
yum update
Time to renew our certificate. It's very easy to do, run
certbot certonly
Ha! Apparently not so simple after all?! We got an error. This might happen when packages are incompatible. Normally yum should take care of that, but as we installed Certbot with Pip, let's upgrade all those components too.
pip install -U pip
As the above error indicates an issue with cryptography, I will update that too.
pip install cryptography --upgrade
Now, let's try to renew our certificate again:
certbot certonly
and type your domain name(s):
Cool, that worked... your certificate is now updated.
To get the new certificate active we restart the webserver (after testing if all is ok):
nginx -t
nginx -s reload
Finally, we check the certificate in a browser to see if the new one is there:
All done, time to relax again for a couple of months.
Update: Morten made the remark why not to automate the renewal:
It's a great comment! When you look at the Certbot instructions, it actually gives you the steps to auto-renew, so you might have already done that. I actually have this running on some of our servers, but I didn't include this step in my initial blog post when we configured the webserver.
So, in case you didn't set up the automatic renewal, or the automatic renewal failed, you have the steps above to fix it.
Hi Dimitri
ReplyDeleteI encountered the same error when trying to run the "certbot certonly --nginx" command.
Once I ran "scl enable python27 bash" (from your prior webserver installation post) and tried again everything worked.
Started looking at permanently enable a scl which makes me think it would be better to remove and reinstall certbot using Tim Halls letsencrypt instructions which mentions resolving problems when running the certbot command.
What do you think?
Sure Mark, whatever works for you.
ReplyDeleteI find that a lot depends on releases of Linux and which packages you have if certbot works for you.
The commands I put in my post is what worked for me.
Dimitri
Hi Dimitri,
ReplyDeleteYour fix did not work. Still got python errors. This one worked for me:
pip uninstall requests
yum reinstall python-requests
pip uninstall six
yum reinstall python-six
pip uninstall urllib3
yum reinstall python-urllib3
Thanks for the blog post!
ReplyDeleteMy VM somehow does an automatic update so everytime i user certbot i get python errors. I ended up install python 3 and pip libraries.
See this link for more info on that. Hope it's useful for someone.
https://yum.oracle.com/oracle-linux-python.html
If you have an issue with renewing on your VM: here's another guide: https://blogs.oracle.com/developers/free-ssl-certificates-in-the-oracle-cloud-using-certbot-and-lets-encrypt
ReplyDeleteThank you Dimitri ! That works !
ReplyDeleteI had to pass the following command:
pip install certbot-nginx --upgrade
(otherwise, I get the following error:
AttributeError: 'module' object has no attribute 'TLSSNI01'
update oct 2020: For renewing, dont't use the yum install.
ReplyDeleteInstead, install certbot-auto as described in https://oracle-base.com/articles/linux/letsencrypt-free-certificates-on-oracle-linux#installation
update oct 2020: don't use Yum install but install certbot-auto as described in the following post:
ReplyDeletehttps://oracle-base.com/articles/linux/letsencrypt-free-certificates-on-oracle-linux#installation