Tuesday, December 10, 2019

Free Oracle Cloud: 16. Renewing Let's Encrypt certificate

When you followed along with my series of blog posts on the Best and Cheapest Oracle APEX hosting: Free Oracle Cloud you most likely will have gotten an email from Let's Encrypt that your certificate is due for renewal.

To check your certificate, go to your site in a browser and click on the lock:

Yep, corresponds to the email, in 10 days my certificate will expire.

Let's get this fixed! So connect with ssh to your Compute instance (see the previous post in the series if you forgot those commands).

When I connect to my machines I typically first run yum update to get the latest packages installed so we are current with security patches, or just, in general, keep up with the latest software.

sudo su (to become root)
yum update

Time to renew our certificate. It's very easy to do, run

certbot certonly

Ha! Apparently not so simple after all?! We got an error. This might happen when packages are incompatible. Normally yum should take care of that, but as we installed Certbot with Pip, let's upgrade all those components too.

pip install -U pip

As the above error indicates an issue with cryptography, I will update that too.

pip install cryptography --upgrade

Now, let's try to renew our certificate again:

certbot certonly

and type your domain name(s):

Cool, that worked... your certificate is now updated.

To get the new certificate active we restart the webserver (after testing if all is ok):

nginx -t
nginx -s reload

Finally, we check the certificate in a browser to see if the new one is there:

All done, time to relax again for a couple of months.

Update: Morten made the remark why not to automate the renewal:

It's a great comment! When you look at the Certbot instructions, it actually gives you the steps to auto-renew, so you might have already done that. I actually have this running on some of our servers, but I didn't include this step in my initial blog post when we configured the webserver.
So, in case you didn't set up the automatic renewal, or the automatic renewal failed, you have the steps above to fix it.


Mark Lancaster said...

Hi Dimitri

I encountered the same error when trying to run the "certbot certonly --nginx" command.
Once I ran "scl enable python27 bash" (from your prior webserver installation post) and tried again everything worked.

Started looking at permanently enable a scl which makes me think it would be better to remove and reinstall certbot using Tim Halls letsencrypt instructions which mentions resolving problems when running the certbot command.

What do you think?

Dimitri Gielis said...

Sure Mark, whatever works for you.

I find that a lot depends on releases of Linux and which packages you have if certbot works for you.
The commands I put in my post is what worked for me.


Daniel Huha said...

Nico Klaver said...

Hi Dimitri,
Your fix did not work. Still got python errors. This one worked for me:
pip uninstall requests
yum reinstall python-requests

pip uninstall six
yum reinstall python-six

pip uninstall urllib3
yum reinstall python-urllib3

Alan Arentsen said...

Thanks for the blog post!

My VM somehow does an automatic update so everytime i user certbot i get python errors. I ended up install python 3 and pip libraries.

See this link for more info on that. Hope it's useful for someone.


Dimitri Gielis said...

If you have an issue with renewing on your VM: here's another guide: https://blogs.oracle.com/developers/free-ssl-certificates-in-the-oracle-cloud-using-certbot-and-lets-encrypt

Patrick Monaco said...

Thank you Dimitri ! That works !
I had to pass the following command:
pip install certbot-nginx --upgrade
(otherwise, I get the following error:
AttributeError: 'module' object has no attribute 'TLSSNI01'

Patrick Monaco said...

update oct 2020: For renewing, dont't use the yum install.
Instead, install certbot-auto as described in https://oracle-base.com/articles/linux/letsencrypt-free-certificates-on-oracle-linux#installation

Patrick Monaco said...

update oct 2020: don't use Yum install but install certbot-auto as described in the following post: