Changing a Let’s Encrypt Certificate’s Domains

Did you ever configure a piece of software or service and spend a great deal of time doing so, without documenting it, only have to modify it in the future. Let’s Encrypt is one of those pieces of software I had configured in the past and recently had to modify then spend an inordinate amount of time trying to figure out my initial configuration. This post is an attempt to piece together and document what is needed to update the domains in my Let’s Encrypt Certificate

Modifying Let’s Encrypt Certificate to include additional domains:

Recently, the Let’s Encrypt Certificate for my web site required modification to include an additional domain. When the certificate was created, the “standalone” mode was used as opposed to the “webroot” method. I chose the “standalone” mode as a personal preference during the initial certificate creation.

To use the “standalone” mode for either creating, renewing, or modifying a certificate the web server software needs to stop so the standalone plugin can bind to port 80 in order to perform domain validation. In fact, not stopping my web server software, Apache in my case, was the reason I was receiving a domain validation error when attempting to update my certificate. To modify the domain’s in the Let’s Encrypt Certificate, the following commands were used:

# service apache24 stop
# certbot certonly --cert-name example.org -d example.org, www.example.org
# service apache24 start

Note:  After entering the certbot command above. The program will ask if you wish to spin up a temporary web server (standalone) or place files in webroot directory (webroot).  Use the same method when you first created the original certificate.  In my case, it was (standalone)  

Of course, I’m using FreeBSD as my operating system and example.org is not my domain. Please substitute your own commands to stop your web server software and domain names.

Updating Let’s Encrypt Certificates using cron in FreeBSD:

The realization to stop the apache web server came after I decided to verify how I update my certificate using cron:

10     0,20       *      *      *      certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> /var/log/letsencrypt.log

The above was added to this post as my documentation for the cron job! Your cron job may differ depending on your operating system used.

Summary:

The best advice I can give to anyone involved in dev-ops is to document your procedures, software configurations, and hardware diagrams otherwise you will spend an inordinate amount of time trying to understand what you did months or years before. In my case, it was just simply stopping the Apache web service before updating the domains in my letsencrypt certificate using the certbot utility!

Additional Resources:

https://letsencrypt.org

https://certbot.eff.org

Leave a Reply

Your email address will not be published.