{"id":20688,"date":"2017-11-10T19:09:10","date_gmt":"2017-11-10T19:09:10","guid":{"rendered":"https:\/\/home.apeconsulting.co.uk\/adrian\/?p=20688"},"modified":"2017-11-10T19:11:18","modified_gmt":"2017-11-10T19:11:18","slug":"ssl-renewal","status":"publish","type":"post","link":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/","title":{"rendered":"SSL Certificate Renewal"},"content":{"rendered":"

It was time for my SSL certificate renewal, which I blogged about creating here<\/a>. \u00a0At the end of that blog, the dry-run had worked fine, so I wasn’t expecting any issues with the renewal. \u00a0Expectations are not always reality though…<\/p>\n

Since creating the SSL certificates, I’d added a few more services to my reverse proxy, as I’d moved from using Plex to Emby<\/a> and wanted to tidy a few other things up that were connecting to my server outside the reverse proxy. \u00a0It kind of made sense to have everything coming into one place which should then\u00a0make it easier to harden the access at that single point.<\/p>\n

Adding the new certificates had been simple enough,\u00a0especially having the blog to refer back too! \u00a0I’d then spent some time using the Qualys, Inc. SSL Labs<\/a>\u00a0site to test things and make sure everything was running as securely as possible. \u00a0When I started, I was only achieving a score of B, but after some tweaks to the NGINX configuration files and a few changes to the DNS Zones in my hosting provider’s Web UI I’d managed to get things up to an A+\u00a0\ud83d\ude42<\/p>\n

Before this, I had 2 nginx.conf files for each service – one for port 80 (HTTP) and another for port 443 (HTTPS). \u00a0During the process, I’d consolidated into a single nginx.conf file per service, which redirected any traffic on port 80 to the secure port 443, by adding the server block below:<\/p>\n

server { \r\n<\/span>   listen 80; \r\n   return 301 https:\/\/$host$request_uri; \r\n} <\/span><\/pre>\n
Pretty easy, and it worked well, removing some of the unnecessary complexity with my reverse proxy. \u00a0What I’d forgotten to do was as the location for the .well_known folder into the 443 configuration files, so the dry run failed for all of the certificates. \u00a0After some trial and error, as I didn’t spot this straight away, it was eventually just a case of adding this back in at the end of the server block<\/p>\n
The dry run the worked fine, apart from the certificate for the service I’d taken offline (my old WordPress\u00a0server). \u00a0Before running I needed to revoke this and then delete using the following commands:<\/p>\n
certbot<\/span> revoke<\/span> --<\/span>cert<\/span>-<\/span>path<\/span> \/usr\/local\/<\/span>etc<\/span>\/<\/span>letsencrypt<\/span>\/<\/span>live<\/span>\/service.domain.co.uk<\/span>\/<\/span>cert<\/span>.<\/span>pem\r\n<\/span>certbot<\/span> delete<\/span> --<\/span>cert<\/span>-<\/span>name<\/span> service.domain.<\/span>co.uk<\/span><\/pre>\n
After that, I ran certbot renew and 4 of the 6 certificates renewed. \u00a0The other 2 weren’t due for renewal. \u00a0So assuming I don’t fiddle about with anything in the next month they should renew with a single command. \u00a0Assuming\u00a0they do, I’ll add the certbot renew command into a cron task and hopefully, it will just work it’s magic as and when required. \u00a0Hopefully….<\/p>\n","protected":false},"excerpt":{"rendered":"
It was time for my SSL certificate renewal, which I blogged about creating here. \u00a0At the end of that blog, the dry-run had worked fine, so I wasn’t expecting any issues with the renewal. \u00a0Expectations are not always reality though…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2,9],"tags":[21],"class_list":["post-20688","post","type-post","status-publish","format-standard","hentry","category-it","category-server","tag-spellchecked"],"yoast_head":"\nSSL Certificate Renewal - Adrian's Blog<\/title>\n<meta name=\"description\" content=\"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSL Certificate Renewal - Adrian's Blog\" \/>\n<meta property=\"og:description\" content=\"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/\" \/>\n<meta property=\"og:site_name\" content=\"Adrian's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-10T19:09:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-11-10T19:11:18+00:00\" \/>\n<meta name=\"author\" content=\"Adrian\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adrian\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/\"},\"author\":{\"name\":\"Adrian\",\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#\\\/schema\\\/person\\\/f63f15ff50bb8f956afdd86a816c5d2a\"},\"headline\":\"SSL Certificate Renewal\",\"datePublished\":\"2017-11-10T19:09:10+00:00\",\"dateModified\":\"2017-11-10T19:11:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/\"},\"wordCount\":429,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#\\\/schema\\\/person\\\/f63f15ff50bb8f956afdd86a816c5d2a\"},\"keywords\":[\"Checked\"],\"articleSection\":[\"IT\",\"Server\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/\",\"url\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/\",\"name\":\"SSL Certificate Renewal - Adrian's Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#website\"},\"datePublished\":\"2017-11-10T19:09:10+00:00\",\"dateModified\":\"2017-11-10T19:11:18+00:00\",\"description\":\"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/ssl-renewal\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSL Certificate Renewal\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#website\",\"url\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/\",\"name\":\"Adrian's Blog\",\"description\":\"Ramblings of an IT Geek\",\"publisher\":{\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#\\\/schema\\\/person\\\/f63f15ff50bb8f956afdd86a816c5d2a\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/home.apeconsulting.co.uk\\\/adrian\\\/#\\\/schema\\\/person\\\/f63f15ff50bb8f956afdd86a816c5d2a\",\"name\":\"Adrian\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g\",\"caption\":\"Adrian\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SSL Certificate Renewal - Adrian's Blog","description":"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/","og_locale":"en_GB","og_type":"article","og_title":"SSL Certificate Renewal - Adrian's Blog","og_description":"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...","og_url":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/","og_site_name":"Adrian's Blog","article_published_time":"2017-11-10T19:09:10+00:00","article_modified_time":"2017-11-10T19:11:18+00:00","author":"Adrian","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Adrian","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/#article","isPartOf":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/"},"author":{"name":"Adrian","@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#\/schema\/person\/f63f15ff50bb8f956afdd86a816c5d2a"},"headline":"SSL Certificate Renewal","datePublished":"2017-11-10T19:09:10+00:00","dateModified":"2017-11-10T19:11:18+00:00","mainEntityOfPage":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/"},"wordCount":429,"commentCount":1,"publisher":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#\/schema\/person\/f63f15ff50bb8f956afdd86a816c5d2a"},"keywords":["Checked"],"articleSection":["IT","Server"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/","url":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/","name":"SSL Certificate Renewal - Adrian's Blog","isPartOf":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#website"},"datePublished":"2017-11-10T19:09:10+00:00","dateModified":"2017-11-10T19:11:18+00:00","description":"It was time to renew my SSL certificates. \u00a0In my previous blog, the dry-run had worked fine, so I wasn't expecting any issues. \u00a0Expectations are not always reality though...","breadcrumb":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/ssl-renewal\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/home.apeconsulting.co.uk\/adrian\/"},{"@type":"ListItem","position":2,"name":"SSL Certificate Renewal"}]},{"@type":"WebSite","@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#website","url":"https:\/\/home.apeconsulting.co.uk\/adrian\/","name":"Adrian's Blog","description":"Ramblings of an IT Geek","publisher":{"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#\/schema\/person\/f63f15ff50bb8f956afdd86a816c5d2a"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/home.apeconsulting.co.uk\/adrian\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/home.apeconsulting.co.uk\/adrian\/#\/schema\/person\/f63f15ff50bb8f956afdd86a816c5d2a","name":"Adrian","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g","caption":"Adrian"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/c2e5d9012573aedee25fd68deb071781d974af50ae74bf73aeb0e70433f7390c?s=96&d=mm&r=g"}}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p90DI4-5nG","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/posts\/20688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/comments?post=20688"}],"version-history":[{"count":5,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/posts\/20688\/revisions"}],"predecessor-version":[{"id":20693,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/posts\/20688\/revisions\/20693"}],"wp:attachment":[{"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/media?parent=20688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/categories?post=20688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/home.apeconsulting.co.uk\/adrian\/wp-json\/wp\/v2\/tags?post=20688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}