Wednesday, November 06, 2019

6.5 amd64: Modify existing certbot certificates.

Hi,

It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to write another blog post. So, here I am.

My 6.5 server have Let's Encrypt certificate which I have multiple subdomains in it. This OpenBSD system have Nginx which act as a HTTPS reverse proxy to Docker host backend.

[Router] <--https--> [OpenBSD] <--http--> [Docker]

 For this example I'm replacing the subdomains with generic names. First, I check my existing SSL certificate.

$ doas certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: domain.my
    Domains: domain.my www.domain.my 123.domain.my 456.domain.my
    Expiry Date: 2019-12-11 09:35:47+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/domain.my/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain.my/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Great. I still have a valid certificate. What I'm planning to do is to remove these subdomains:

1) 123.domain.my
2) 456.domain.my

Then add 2 new subdomains:

1) abc.domain.my
2) def.domain.my

As I'm using Nginx to serve the certificate, I stopped my Nginx, preparing for the certificate modification.

$ doas rcctl stop nginx

Then I proceed to request for certificate modification using certbot. Take note the value of the previous "Certificate Name" as it's needed to properly modify existing cert.

$ doas certbot certonly --cert-name domain.my -d domain.my,www.domain.my,abd.domain.my,def.domain.my

After I run the command, the prompt to select the option I can use to authenticate my server. For this one, I opted to spin up temporary standalone webserver (option 1)

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None


Next certbot is showing me the changes that will be made. I then choose "U" to update the cert.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate domain.my to include new domain(s):
+ abc.domain.my
+ def.domain.my

You are also removing previously included domain(s):
- 123.domain.my
- 456.domain.my

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u

Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.my/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.my/privkey.pem
   Your cert will expire on 2020-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


And it's done! So easy. Take note that I did not use " --expand " on the command.

If you did not include " --cert-name CERT_NAME" in your command, certbot will create another certificate and you might get additional certificate name with "-0001". Such as "domain.my-0001" and you will end up with 2 separate certificate instead.

That's all. Until next post!

Ref: https://certbot.eff.org/docs/using.html#renewing-certificates

No comments:

6.5 amd64: Modify existing certbot certificates.

Hi, It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to ...