How do I renew a Let's Encrypt SSL certificate in a Bitnami stack hosted on a Lightsail instance?

Short description

Let's Encrypt SSL certificates expire 90 days after creation. If you installed a standard Let's Encrypt certificate by following the steps provided in How do I install a standard Let's Encrypt certificate in a Bitnami stack hosted on Amazon Lightsail?, then the SSL certificate automatically renews. However, the automatic renewal might fail if it's not configured correctly.

If you installed a wildcard Let's Encrypt certificate by following Method 2 in How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack hosted on Amazon Lightsail?, then you need to renew the certificate manually. Method 2 doesn't support automatic renewal.

The following resolution covers renewing the certificate manually on Bitnami-hosted Lightsail instances, such as WordPress, LAMP, Magento, MEAN, and so on. The following resolution doesn't provide guidance on finding why automatic renewal failed.

Resolution

Before you begin

Identify which of the following tools that you used to install the certificate:

• "bncert-tool" or "Lego" client provided by Bitnami
• "Certbot" package

To identify the tool that you used to install SSL certificate, do the following:

1.    Run the following command to search for the certificate file in the directories /etc/letsencrypt and /opt/bitnami/letsencrypt. Make sure to replace DOMAIN with your domain name.

sudo grep -irl "$(openssl s_client -verify_quiet -showcerts -connect DOMAIN:443 2>/dev/null | sed -n '/BEGIN/,/END/{p;/END/q}' | head -n 3 | tail -n 2)" /opt/bitnami/letsencrypt /etc/letsencrypt

2.    If the certificate file is inside the sub directories of /opt/bitnami/letsencrypt, then the certificate was probably installed using bncert-tool or Lego client. To verify this, run the following command:

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

If the output of the command in step 1 matches the certificate path provided by the preceding command, then your certificate was installed using bncert-tool or Lego.

If the certificate file is inside the sub directories of /etc/letsencrypt, then the certificate was probably installed using Certbot. To verify this, run the following command:

sudo certbot certificates

If the output of the command in step 1 matches the certificate path provided by the preceding command (if any), then your certificate was installed using Certbot.

Renew a Let's Encrypt certificate installed using bncert-tool or Lego tool

Run the following commands:

sudo /opt/bitnami/ctlscript.sh stop

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90

sudo /opt/bitnami/ctlscript.sh start

In the preceding commands, replace EMAIL-ADDRESS and DOMAIN with the correct values.

You can use any of your working email addresses. Or, you can use the same email address that you used when you installed the certificate. You can retrieve the email you used when installing the certificate by running the following command:

sudo ls /opt/bitnami/letsencrypt/accounts/acm*

You can confirm the domain name by running the following command:

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

Renew a Let's Encrypt certificate installed using Certbot tool

Determine the authentication method that you used to install the certificate. To do this, run the following command. Replace DOMAIN with the primary domain name of your certificate. To determine the domain name, run the sudo certbot certificates command.

sudo cat /etc/letsencrypt/renewal/DOMAIN.conf

In the command output, view the authenticator parameter value.

If the authenticator parameter value is standalone, webroot, apache, nginx, dns-route53, and so on, then complete the renewal by running the following commands:

sudo /opt/bitnami/ctlscript.sh stop
sudo certbot renew
sudo /opt/bitnami/ctlscript.sh start

The preceding commands renew all installed certificates that are due to be renewed.

If the authenticator parameter value is manual and the pref_challs parameter value is dns, then it isn't possible to set up automatic renewal. You must renew it manually using the following steps. Note that that you must repeat this step whenever you renew the certificate.

1.    This method requires adding TXT records in the domain's DNS provider. This process might take some time, so it's a best practice to run the commands in Linux GNU Screen to prevent the session from timing out. To start a Screen session, enter the following command:

screen -S letsencrypt

2.    Run the following command and look for the Domains parameter value. In the following example, replace DOMAIN with the primary domain name of your certificate.

sudo certbot certificates -d DOMAIN

3.    Run the following command to renew the certificate. Make sure to include each domain that you found in the previous command using the -d option in the same order. If you include additional domains, if you remove any current domains or if you change the order of the domains, a new certificate might be created with the name DOMAIN-001 instead of renewing the original certificate.

sudo certbot certonly --manual --preferred-challenge dns -d DOMAIN-1 -d DOMAIN-2 --force-renewal

4.    You receive a prompt to verify that you own the specified domain by adding TXT records to the DNS records for your domain. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.

5.    When you see a TXT record in the screen, first add the provided record in your domain's DNS. DO NOT PRESS ENTER until you confirm that the TXT record is propagated to the internet DNS. Also, DO NOT PRESS CTRL+D as this ends the current screen session.

6.    To confirm the TXT record is propagated to internet DNS, look it up at DNS Text Lookup. Enter the following text into the text box and choose TXT Lookup to run the check. Be sure to replace example.com with your domain.

_acme-challenge.example.com

7.    If your TXT records propagated to the internet’s DNS, you see the TXT record value in the page. You can now return to the screen and press ENTER.

8.    If you are removed from the shell, you can return by using the command screen -r SESSIONID. Get the Session ID by running the command screen -ls.

9.    If the Certbot prompt asks you to add another TXT record, then complete steps 5 -8 again.

10.    After the SSL certificate generates successfully, you receive the message "Successfully received certificate".

---