The Let's Encrypt SSL certificate installed for my website in an Amazon Lightsail Bitnami instance is about to expire.
Short description
Let's Encrypt SSL certificates expire 90 days after creation. If you installed a standard Let's Encrypt certificate by following the steps provided in How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?, then the SSL certificate automatically renews. However, the automatic renewal might fail if it's not configured correctly.
If you installed a wildcard Let's Encrypt certificate by Method 2 in How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?, then you need to renew the certificate manually. Method 2 doesn't support automatic renewal.
The following resolution covers how to renew a certificate manually on Bitnami-hosted Lightsail instances, such as WordPress, LAMP, Magento, and MEAN.
Resolution
Identify the certificate installation tool
Identify the tool that you used to install the certificate. To identify the tool that you used to install SSL certificate, do the following:
-
Run the following command to search for the certificate file in the directories /etc/letsencrypt and /opt/bitnami/letsencrypt. Make sure to replace DOMAIN with your domain name.
sudo grep -irl "$(openssl s_client -verify_quiet -showcerts -connect DOMAIN:443 2>/dev/null | sed -n '/BEGIN/,/END/{p;/END/q}' | head -n 3 | tail -n 2)" /opt/bitnami/letsencrypt /etc/letsencrypt
-
If the certificate file is inside the sub directories of /opt/bitnami/letsencrypt, then the certificate was probably installed with bncert-tool or Lego client. To verify this, run the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
If the output of the command in step 1 matches the certificate path provided by the second command, then your certificate was installed with bncert-tool or Lego.
If the certificate file is inside the sub directories of /etc/letsencrypt, then the certificate was probably installed with Certbot. To verify this, run the following command:
sudo certbot certificates
If the output of the command in step 1 matches the certificate path provided by the certbot command, then your certificate was installed with Certbot.
Based on the identified tool, follow the related resolution steps.
Renew a Let's Encrypt certificate installed with bncert-tool or Lego tool
Run the following commands:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
For all commands, replace EMAIL-ADDRESS and DOMAIN with the correct values. For EMAIL-ADDRESS, use any of your working email addresses. Or, you use the same email address that you used when you installed the certificate. You can retrieve the email you used to install the certificate with the following command:
sudo ls /opt/bitnami/letsencrypt/accounts/acm*
If needed, then confirm the domain name with the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
Renew a Let's Encrypt certificate installed with Certbot tool
Run the following command to determine the authentication method that you used to install the certificate. Replace DOMAIN with the primary domain name of your certificate:
sudo cat /etc/letsencrypt/renewal/DOMAIN.conf
In the command output, view the authenticator parameter value. Based on the value, follow one of the following renewal methods:
If the authenticator parameter value is standalone, webroot, apache, nginx, dns-route53, or other value that isn't manual, then complete the renewal with the following commands:
sudo /opt/bitnami/ctlscript.sh stop
sudo certbot renew
sudo /opt/bitnami/ctlscript.sh start
These commands renew all installed certificates that are due to be renewed.
- or -
If the authenticator parameter value is manual and the pref_challs parameter value is dns, then it isn't possible to set up automatic renewal. You must renew it manually with the following steps. Note: You must repeat this step whenever you renew the certificate.
-
This method requires you to add TXT records in the domain's DNS provider. It's a best practice to run the commands in Linux GNU Screen to prevent the session from timing out. For more information, see How to use Linux Screen.
To start a Screen session, enter the following command:
screen -S letsencrypt
-
Run the following command and look for the Domains parameter value. Replace DOMAIN with the primary domain name of your certificate:
sudo certbot certificates -d DOMAIN
-
Run the following command to renew the certificate. Make sure to include each domain that you found in the previous command with the -d option in the same order. If you add, remove, or change the order of domains, then a new certificate might be created instead of renewing the original certificate.
sudo certbot certonly --manual --preferred-challenge dns -d DOMAIN-1 -d DOMAIN-2 --force-renewal
-
You receive a prompt to verify that you own the specified domain. This verification is to add TXT records to the DNS records for your domain. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.
-
When you see a TXT record in the screen, add the provided record in your domain's DNS.
Important: Don't press Enter until you confirm that the TXT record is propagated to the internet DNS. Don't press CTRL+D because this ends the current screen session.
-
To confirm the TXT record is propagated to internet DNS, look it up at DNS Text Lookup on the MX Toolbox website. Enter the following text into the text box and choose TXT Lookup to run the check. Replace example.com with your domain:
_acme-challenge.example.com
-
If your TXT records propagated to the internet's DNS, then you see the TXT record value in the page. You can now return to the screen and press ENTER.
-
If you are removed from the shell, then return by through the command screen -r SESSIONID. Run the screen -ls command to get the Session ID.
-
If the Certbot prompt asks you to add another TXT record, then complete steps 5 -8 again.
-
After the SSL certificate generates successfully, you receive the message "Successfully received certificate".