Let's Encrypt forced renewal - 2020.02.29 CAA Rechecking Bug

Discussion in 'ISPConfig 3 Priority Support' started by JOP, Mar 4, 2020.

  1. JOP

    JOP New Member HowtoForge Supporter

    how to renew affected certificates in ispconfig?
    Have to work till tomorrow.
     
  2. SupuS

    SupuS Member HowtoForge Supporter

    Hi,
    if you are use certbot so you can upgrade certbot to latest version by using:
    Code:
    /opt/certbot/certbot-auto
    and than force renew all certificate with command:
    Code:
    /opt/certbot/certbot-auto renew --force-renewal
    After renewal you have to restart web server to load new certificates.
    I don't know if is it proper way but it works for me.
     
    Last edited: Mar 4, 2020
    elmacus and JOP like this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the right way.
     
  4. Christophe69

    Christophe69 Member HowtoForge Supporter

    Hi!
    I had the same problem for only one of my certificates which was concerned by the Let's Encrypt problem today.

    I tried to renew the certificate by unchecking and rechecking SSL/LE in ISPConfig but the certificate refused the renewal because of "Cert not yet due for renewal - Keeping the existing certificate".

    So here is what i've done to force renewal of the certificate:
    1- Uncheck LE for the domain in ISPConfig.
    2- Remove the directory of the domain in "/etc/letsencrypt/live".
    3- Recheck LE for the domain.

    And it works! :)
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The email from LE contained instructions which work fine on ISPConfig servers, so running:

    certbot-auto renew --force-renewal

    as described in the LE mail is sufficient, in case that certot is not in the oath on your systen, you'll have to use the full path to the certbot command.
     
    Christophe69 likes this.
  6. Christophe69

    Christophe69 Member HowtoForge Supporter

    Yes. I was a bit confuse because I dit not receive the mail personaly (I am not the owner of the certificates) and I was not sure if the command "certbot-auto renew --force-renewal" was necessary to renew only one certificate. But if you say using this command is the right way, this is the right way :).
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The command actually renews all certs, so it's a bit much indeed. I just wanted to mention that it would be totally fine as well to just do what LE recommends.
     
    Christophe69 likes this.
  8. JOP

    JOP New Member HowtoForge Supporter

    thank you for your support. Instructions worked well, upgraded certbot from v1.0 to v1.3 worked perfect.
    /opt/certbot/certbot-auto

    Curiously ISPConfig on CentOS 7 seemed to do some job for me. Contrary to the announcement of Let's encrypt all objected domains work fine till now, without manual renewal. Anyway, if things change I'll be ready.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    LE decided to not shut down certs now that are actively in use as webserver ssl certs.
     
    elmacus and JOP like this.
  10. JOP

    JOP New Member HowtoForge Supporter

    good to know, thank's.
     

Share This Page