How to renew Lets-encrypt Certificate in Nginx
Lets-encrypt SSL is a great way to secure websites as they are free of cost.
But, it comes with the overhead of frequent renewals, that is, every 3 months.
And even a small mistake in the timely renewal of Lets-encrypt certificate can cause serious downtime for the website.
At Bobcares, we help Web Hosting providers to automate this Lets-encrypt SSL renewal as part of our Outsourced Tech Support services.
Today, we’ll discuss the steps to renew Lets-encrypt SSL on Nginx server.
How to renew Lets-encrypt certificate on Nginx ?
Lets-encrypt provides a client called “Certbot” that can automatically add and configure certificates for domains. Certbot has an Nginx plugin that specifically works for Nginx web server.
The exact command for certbot installation largely depends on the operating system used by the server.
For example, in an Ubuntu server, to install certbot, the command would be :
sudo apt-get install python-certbot-nginx
The certbot package automatically adds a certificate renewal script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
Common failure points in certificate renewal
Though the setup of Certbot is pretty straight-forward, we’ve seen that the automated renewal of the certificates using certbot can fail due to many reasons.
Let’s discuss these scenarios in detail.
1. Bad DNS
For the proper renewal of ssl certificate, the domain should resolve properly to the hosting server. If the dns records point to a different IP address, the renewal request fails with the error :
Automatic Let's Encrypt renewal for market.xyzwebhost.com was attempted and failed. This certificate expires on 2017-12-11 22:35:00 -0600 CST. Unable to renew certificate: Updating challenge for market.xyzwebhost.com: acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up CAA for xyzwebhost.com (order URL:https://acme-v02.api.letsencrypt.org/acme/order/40xxx/148xxx198)
Here, our Hosting Support Engineers corrected the dns records for the domain and pointed it to the server. When the new dns records propagated all over the internet, the renewal of SSL worked fine.
2. Duplicate entries in Nginx conf
Upon the installation of Certbot, it automatically adds entries related to Web server port, certificate path etc. to the Nginx configuration file. And if there are duplicate entries, the restart of Nginx will fail. This causes website downtime.
In one of the VPS servers that we manage, we saw that the Certbot added a duplicate “Listen” option. This caused Nginx to fail upon a certificate renewal attempt.
Our Hosting Support Specialists analyzed the Nginx logs and corrected the duplicate entries in the configuration file. Then the certificate renewal worked fine.
3. Broken Symlinks
Nginx configuration for each domain has certain symlinks or soft link files that contains a reference to another file or directory.
For the proper working of Lets-encrypt certificates, it is necessary to ensure correct permissions of the symlinks, files and folders related to Nginx configuration.
When there is a mismatch, Certbot will not be able to read the files and that will result in error.
For example, we got a recent Help-desk request related to Lets-encrypt certificate set up. The error said:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Could not open file: /etc/nginx/sites-enabled/domain.com
Here, Certbot was not able to read the configuration file for domain.com.
Our Engineers checked the permissions of files and folders under
/etc/nginx/. But it all looked good.
On further analysis of the error logs, we identified that the broken symlinks in “sites-enabled” folder was causing the problem. We recreated the symlinks and then Lets-encrypt certificate setup worked perfectly.
Certbot is a great utility to renew Lets-encrypt certificate on Nginx server. Today, we saw the top reasons on why the certificate renewal fails and how our Hosting Support Engineers fix them.