Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ssl-certificate-renewal]

The process of issuing a new certificate with existing public and private keys. Common reasons for this are: extending its validity, changing thumbprint hash algorithm or even changing content (common name (CN) or subject alternative name (SAN)).

28 questions
8
votes
3 answers

Does order of lines matter in Nginx?

I have a server file like this server { listen 80; server_name subdomain.example.com; return 301 https://$server_name$request_uri; location /.well-known/acme-challenge { root /var/www/letsencrypt; } } Now when I try sudo letsencrypt…
Saras Arya
  • 213
  • 1
  • 4
  • 11
5
votes
2 answers

How to bundle intermediate certs into one file

I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from the csr generator and the crt file provided by…
BioRod
  • 273
  • 3
  • 12
2
votes
0 answers

How to easily renew PFX certificate?

I am using IIS 10 with a variety of SSL certificates installed and bound with SNI. I now need to renew a wildcard PFX certificate, I would normally Import the new file and manually rebind each site to use the new certificate before deleting the old…
userSteve
  • 1,503
  • 4
  • 20
  • 32
2
votes
1 answer

ssl-cert-check is not getting the correct expiry dates for Lets Encrypt certificates

I'm using ssl-cert-check to track a list of my domains certificates. In my crontab I set it to run quietly and email me expiring domains, but the command that I'm using to debug is: ssl-cert-check -f ssldomains.txt -x 21 -i It is correctly reading…
Andy
  • 307
  • 2
  • 5
  • 16
1
vote
2 answers

Duration to provision a new TLS certificate on GCP HTTPS-Load-Balancer?

What's the expected duration to provision/finish serving an updated TLS certificate (called "SSL certificate resource" in GCE) for the target HTTPS proxy (part of the GCP HTTPS-Load-Balancer)? Is it documented somewhere? My test below reveals: GCP…
Dominik
  • 225
  • 2
  • 7
1
vote
1 answer

How do replacement files for reissued SSL certificate must be specified in the VirtualHost configuration file?

Environment : Linux 4.4.0-77-generic , Ubuntu 16.04.2 LTS with Apache 2 ( Apache/2.4.18 (Ubuntu)) Here is the situation : I had an SSL certificate for domains without www in them. Basically I thought www.domain-name.com and domain-name.com were…
mlclm
  • 169
  • 5
1
vote
1 answer

When using Let's Encrypt certbot, how do I restart/reload a network service only once and only if the cerificate was actually renewed?

The certbot command provides two hooks that run after automated renewals, from the docs: --post-hook POST_HOOK Command to be run in a shell after attempting to obtain/renew certificates. Can be used to…
Walf
  • 293
  • 1
  • 3
  • 16
1
vote
1 answer

Is .well-known/acme-challenge ever needed after the initial domain fingerprintng?

I understand the initial challenge-response pattern when using Let's Encrypt, but I noticed that when testing renewals, no GET requests were hitting .well-known/acme-challenge. Once the domain/account keys are setup, does renewal ever have to touch…
markson edwardson
  • 169
  • 7
1
vote
1 answer

Online Kubernetes (kubeadm) control plane certificate renewal

kubeadm creates certificates for the Kubernetes control plane that are valid for one year. They will be renewed on every Kubernetes upgrade. Since it is definitely a good idea to update a Kubernetes cluster at least once per year, this should lead…
Stephan
  • 245
  • 1
  • 7
0
votes
1 answer

How to update expired ssl certificate on server with key-pinning (hpkp)

On server with nginx web server was setup ssl section with key-pinning: add_header Public-Key-Pins 'pin-sha256="some-key"; pin-sha256="second-key"; max-age=5184000;' always; now certificate is expired and was reissued, I generate a new base64…
Olexandr Grasymenko
  • 1
  • 1
0
votes
1 answer

Can certbot renew --dry-run result in a false positive?

If I run certbot renew --dry-run and make no further changes to my Nginx configuration, am I guaranteed that certbot renew will succeed 90 days later? In other words, can the result be a false positive? If so, should I rather run certbot renew…
lofidevops
  • 1,275
  • 3
  • 13
  • 23
0
votes
2 answers

Let's encrypt nginx server tls-sni-01 challenge

I have a domain, let's say domain.com This domain was registered with Go Daddy and using the Go Daddy dashboard, I point the domain to a certain IP, let's say 1.2.3.4 This IP, 1.2.3.4, belongs to a AWS EC2 instance. The machine runs Ubuntu and…
mayk93
  • 115
  • 2
  • 5
0
votes
0 answers

Error renewing SSL certificate with certbot

root@nl6g:~# sudo certbot --nginx -d cienciadelgaza.com -d www.cienciadelgaza.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following…
NeDark
  • 393
  • 1
  • 5
  • 10
0
votes
2 answers

Can I use Certbot to add a Lets Encrypt certificate as a stop gap between yearly renewals?

I had a SSL certificate expire over the weekend, the client had missed the renewal email, and obviously they were not happy their site was displaying SSL warnings. As I've been using Lets Encrypt on a number of sites now, I wondered if I could use…
OrderAndChaos
  • 103
  • 3
0
votes
1 answer

Browser still seeing/using old NGINX SSL cert

I just got a new SSL cert a domain which was previously covered by a wildcard SSL cert. Its been over a week since its been installed and about 99% of my users aren't having an issue. There are now just the one or two (that I know about) which get a…
Andy Jarrett
  • 101
  • 1
  • 1
1
2