How do I renew a Let's Encrypt SSL certificate in a Bitnami stack hosted on a Lightsail instance?

Short description

Let's Encrypt SSL certificates expire 90 days after creation. Standard certificates renew automatically when you use How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail? However, the automatic renewal might fail if the certificate isn't configured correctly.

If you installed a wildcard Let's Encrypt certificate by Method 2 in How do I install a wildcard Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Amazon Lightsail?, then you need to renew the certificate manually. Method 2 doesn't support automatic renewal.

The following resolution covers how to renew a certificate manually on Bitnami-hosted Lightsail instances, such as WordPress, LAMP, Magento, and MEAN.

Resolution

Identify the certificate installation tool

Identify the tool that you used to install the certificate. To identify the tool that you used to install SSL certificate, do the following:

1. Run the following command to search for the certificate file in the directories /etc/letsencrypt and /opt/bitnami/letsencrypt. Make sure to replace DOMAIN with your domain name.

   sudo grep -irl "$(openssl s_client -verify_quiet -showcerts -connect DOMAIN:443 2>/dev/null | sed -n '/BEGIN/,/END/{p;/END/q}' | head -n 3 | tail -n 2)" /opt/bitnami/letsencrypt /etc/letsencrypt

2. If the certificate file is inside the sub directories of /opt/bitnami/letsencrypt, then the certificate was probably installed with bncert-tool or Lego client. To verify this, run the following command:

   sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

If the output of the command in step 1 matches the certificate path provided by the second command, then your certificate was installed with bncert-tool or Lego.

If the certificate file is inside the sub directories of /etc/letsencrypt, then the certificate was probably installed with Certbot. To verify this, run the following command:

sudo certbot certificates

If the output of the command in step 1 matches the certificate path provided by the certbot command, then your certificate was installed with Certbot.

Based on the identified tool, follow the related resolution steps.

Renew a Let's Encrypt certificate installed with bncert-tool or Lego tool

Run the following commands:

sudo /opt/bitnami/ctlscript.sh stop

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90

Note: Replace EMAIL-ADDRESS use any of your working email addresses. Or, use the same email address that you used when you installed the certificate. Replace DOMAIN with your domain name.

sudo /opt/bitnami/ctlscript.sh start

You can retrieve the email you used to install the certificate with the following command:

sudo ls /opt/bitnami/letsencrypt/accounts/acm*

If needed, then confirm the domain name with the following command:

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

Renew a Let's Encrypt certificate installed with Certbot tool

To determine the authentication method that you used to install the certificate, run the following command:

sudo cat /etc/letsencrypt/renewal/DOMAIN.conf

Note: Replace DOMAIN with the primary domain name of your certificate.

In the command output, view the authenticator parameter value. Based on the value, follow one of the following renewal methods:

If the authenticator parameter value is standalone, webroot, apache, nginx, dns-route53, or other value that isn't manual, then complete the renewal with the following commands:

sudo /opt/bitnami/ctlscript.sh stop
sudo certbot renew
sudo /opt/bitnami/ctlscript.sh start

These commands renew all installed certificates that are due to be renewed.

- or -

If the authenticator parameter value is manual and the pref_challs parameter value is dns, then it isn't possible to set up automatic renewal. You must renew it manually with the following steps. Note: You must repeat this step whenever you renew the certificate.

1. This method requires you to add TXT records in the domain's DNS provider. It's a best practice to run the commands in Linux GNU Screen to prevent the session from timing out. For more information, see How to use Linux Screen on the Linuxize website.
   To start a Screen session, enter the following command:

   screen -S letsencrypt

2. Run the following command and look for the Domains parameter value. Replace DOMAIN with the primary domain name of your certificate:

   sudo certbot certificates -d DOMAIN

3. Run the following command to renew the certificate. Make sure to include each domain that you found in the previous command with the -d option in the same order. If you add, remove, or change the order of domains, then a new certificate might be created instead of renewing the original certificate.

   sudo certbot certonly --manual --preferred-challenge dns -d DOMAIN-1 -d DOMAIN-2 --force-renewal

4. You receive a prompt to verify that you own the specified domain. This verification is to add TXT records to the DNS records for your domain. Let's Encrypt provides either a single or multiple TXT records that you must use for verification.

5. When you see a TXT record in the screen, add the provided record in your domain's DNS.
   Important: Don't press Enter until you confirm that the TXT record is propagated to the internet DNS. Don't press CTRL+D because this ends the current screen session.

6. To confirm that the TXT record is propagated to internet DNS, look it up at DNS Text Lookup on the MX Toolbox website. Enter the following text into the text box:

   _acme-challenge.example.com

   Note: Replace example.com with your domain.

7. Choose TXT Lookup to run the check.

8. If your TXT records propagated to the internet's DNS, then you see the TXT record value in the page. Return to the screen and press ENTER.

9. If you're removed from the shell, then return through the command: screen -r SESSIONID.

10. Get the Session ID: Run the screen -ls command.

11. If the Certbot prompt asks you to add another TXT record, then complete steps 5 through 8 again.

After the SSL certificate generates successfully, you receive the following message: "Successfully received certificate".