It was time for my SSL certificate renewal, which I blogged about creating here.  At the end of that blog, the dry-run had worked fine, so I wasn’t expecting any issues with the renewal.  Expectations are not always reality though…

Since creating the SSL certificates, I’d added a few more services to my reverse proxy, as I’d moved from using Plex to Emby and wanted to tidy a few other things up that were connecting to my server outside the reverse proxy.  It kind of made sense to have everything coming into one place which should then make it easier to harden the access at that single point.

Adding the new certificates had been simple enough, especially having the blog to refer back too!  I’d then spent some time using the Qualys, Inc. SSL Labs site to test things and make sure everything was running as securely as possible.  When I started, I was only achieving a score of B, but after some tweaks to the NGINX configuration files and a few changes to the DNS Zones in my hosting provider’s Web UI I’d managed to get things up to an A+ 🙂

Before this, I had 2 nginx.conf files for each service – one for port 80 (HTTP) and another for port 443 (HTTPS).  During the process, I’d consolidated into a single nginx.conf file per service, which redirected any traffic on port 80 to the secure port 443, by adding the server block below:

server { 
   listen 80; 
   return 301 https://$host$request_uri; 

Pretty easy, and it worked well, removing some of the unnecessary complexity with my reverse proxy.  What I’d forgotten to do was as the location for the .well_known folder into the 443 configuration files, so the dry run failed for all of the certificates.  After some trial and error, as I didn’t spot this straight away, it was eventually just a case of adding this back in at the end of the server block

The dry run the worked fine, apart from the certificate for the service I’d taken offline (my old WordPress server).  Before running I needed to revoke this and then delete using the following commands:

certbot revoke --cert-path /usr/local/etc/letsencrypt/live/
certbot delete --cert-name

After that, I ran certbot renew and 4 of the 6 certificates renewed.  The other 2 weren’t due for renewal.  So assuming I don’t fiddle about with anything in the next month they should renew with a single command.  Assuming they do, I’ll add the certbot renew command into a cron task and hopefully, it will just work it’s magic as and when required.  Hopefully….