ICT: Diary
D: 326 W: 47

< August 2017 >
Sun Mon Tue Wed Thu Fri Sat
 12345
6789101112
13141516171819
20212223242526
2728293031 

Based on notaweblog.php by joshua stein

[ ] Wednesday, 30 August 2017 [ ]

SSL Certificate Expiry

So having gone HTTPS everywhere - I let my certificate expire…

Using acme-client to renew the certificate: doas acme-client -Fv schoolio.co.uk
which was successful on the third attempt, my SSL certificate is now valid until 28 November 2017. Each failed attempt gave the following error:


acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://www.schoolio.co.uk/.well-known/acme-challenge/xxx: \"\r\n\r\n

404 Not Found

\r\n
\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xxx", "token": "xxx", "keyAuthorization": "xxx", "validationRecord": [ { "url": "https://www.schoolio.co.uk/.well-known/acme-challenge/xxx", "hostname": "www.schoolio.co.uk", "port": "443", "addressesResolved": [ "46.235.226.153" ], "addressUsed": "46.235.226.153", "addressesTried": [] }, { "url": "http://www.schoolio.co.uk/.well-known/acme-challenge/xxx", "hostname": "www.schoolio.co.uk", "port": "80", "addressesResolved": [ "46.235.226.153" ], "addressUsed": "46.235.226.153", "addressesTried": [] } ] }] (1475 bytes)

It is worth remembering the Let's Encrypt is rate limited so you want to avoid too many errors or you get locked out for a period of time.

Getting it working involved disabling the ssl redirect in my nginx.conf, and then restarting nginx. Once the certificate was updated I reverted the changes to nginx.

I need to work out how to automate the certificate renewal - preferably using SSL, so that I don't need to play with nginx.conf. The plan is to test using Raspberry Pi 3, although that is running OpenBSD's httpd rather than nginx.

letsencryptacmessl


$Id: dates.htm,v 1.1014 2017/11/09 22:32:36 fred Exp $

$Id: diary,v 1.27 2017/09/01 17:12:44 fred Exp $