The problem
You have detected that your letsencrypt certificate expired, and now you want to renew it. This article shows how to do this on a machine called "support" which runs on Ubuntu 16.04 and lighttpd as webserver.
The Solution
The solution is simple. Just follow the steps below.
1.) Stop lighttpd
The first thing you have to do is to stop lighttpd (or any other service which binds to your webservers port 80).
* Stopping web server lighttpd [ OK ]
2.) Renew the certificate
This is also an easy one. Just call the correct script, and let letsencrypt do it's magic.
Upgrading certbot-auto 0.7.0 to 0.8.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run certbot...
/home/gue/.local/share/letsencrypt/bin/letsencrypt renew
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.support.acme.com.conf
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.support.acme.com/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.support.acme.com/fullchain.pem (success)
Cool - our certificate was renewed, and the new certificate is available somewhere under the /etc/letsencrypt/live directory. So lets have a look at them:
root@support:~# cd /etc/letsencrypt/live/www.support.acme.com
root@support:/etc/letsencrypt/live/www.support.acme.com# ls -l
insgesamt 12
drwxr-xr-x 2 root root 4096 Jul 20 11:16 ./
drwx------ 3 root root 4096 Mär 21 08:35 ../
lrwxrwxrwx 1 root root 47 Jul 20 11:16 cert.pem -> ../../archive/www.support.acme.com/cert2.pem
lrwxrwxrwx 1 root root 48 Jul 20 11:16 chain.pem -> ../../archive/www.support.acme.com/chain2.pem
lrwxrwxrwx 1 root root 52 Jul 20 11:16 fullchain.pem -> ../../archive/www.support.acme.com/fullchain2.pem
lrwxrwxrwx 1 root root 50 Jul 20 11:16 privkey.pem -> ../../archive/www.support.acme.com/privkey2.pem
-rw-r--r-- 1 root root 3526 Apr 12 09:44 ssl.pem
root@support:~#
Jup - here they are. Every file (except the ssl.pem) file has gotten a new timestamp.Whats wrong with the ssl.pem, why wasn't it upgraded ?
3.) Merge the certificate for lighttpd
Well. If you read my article about how to setup a free ssl certificate for lighttpd with letsencrypt then you could probably remember that lighttps needs a special format for it's certificate - which is excatly the one in the ssl.pem. So the key to success is to recreate the ssl.pem file (or whatever you called it in the lighttpd configuration)
root@support:/etc/letsencrypt/live/www.support.acme.com# ls -l ssl.pem
-rw-r--r-- 1 root root 3526 Jul 20 11:20 ssl.pem
root@support:~# exit
Logged off
Be sure to have write access to the directory because otherwise you will not be able to create the ssl.pem file. In my example I ensured write access by logging in as root (via ) but there are other ways to do this.
4.) Restart lighttpd
The last step is to restart the webserver which was turned off in step 1.
* Starting web server lighttpd [ OK ]
gue@support:~$
Finally check the webserver logfiles for any overseen errors and if your web browser complains about the new certificate. Usually this works out of the box perfectly.
That's it, have fun !
![[RSS]](/resources/icons/silk/bullet_feed.png){kind=icon}
