Dev Notes

Software Development Resources by David Egan.

Reorganise Letsencrypt Certificates


SSL, Sysadmin
David Egan

This article refers to a Letsencrypt client as installed by sudo apt-get install python-letsencrypt-apache. Up until quite recently, this was the recommended Letsencrypt installation for Ubuntu Xenial 16.04.

Insurance: Make a Backup!

Backup the entire /etc/letsencrypt directory - recursively copy the entire letsencrypt directory:

cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

If you mess up during the process of certificate reorganisation, revert to the original and save the broken state for reference:

# Recover from broken state
mv /etc/letsencrypt /etc/letsencrypt.broken && mv /etc/letsencrypt.backup/ /etc/letsencrypt

Certificate Lineage

Determine certificate lineages by listing out the domains associated with each certificate - look in subdirectories under /etc/letsencrypt/live:

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout | grep DNS
openssl x509 -in /etc/letsencrypt/live/www.example.com/cert.pem -text -noout | grep DNS

See additional information for a breakdown of this command.

Remove a Superfluous Certificate

We determine that the example.com cert is superfluous, and holds references to invalid domains. The cert is not being used, but generates ugly error messages during the renewal dry-run.

Be careful - make sure the cert is not being referenced in any Virtual Host directives.

If you are sure it’s safe, remove it and run the renewal process:

rm -rf /etc/letsencrypt/live/example.com/
rm -rf /etc/letsencrypt/archive/example.com
rm /etc/letsencrypt/renewal/example.com.conf

# Attempt a dry-run renewal first if necessary
sudo letsencrypt renew --dry-run --agree-tos

# Run the renewal
sudo letsencrypt renew

Reissue Certificate

I haven’t attempted this - but running the following should install a new certificate:

# CAUTION: Not tested
sudo letsencrypt certonly --webroot-path /var/www/html -d example.com -d www.example.com

If your virtual hosts for the specified domains are referencing certs like so:

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

…the new cert should work.

Additional Information

OpenSSL is an open source toolkit for the SSL and TLS network protocols and related cryptography standards, accessed with the - openssl utility. The x509 command provides utilities for displaying, converting and signing certificates. Summary of the above command:

  • -in filename: the input filename to read from (standard input if not specified)
  • -text: print the certificate in text form
  • -noout: prevent output of the encoded version of the request

The text form output includes full details - public key, signature algorithms, issuer & subject names, serial number, extensions present, any trust settings and the DNS records covered by the certificate. In the context of this article, we’re only interested in the certificate lineage/associated domains - so the openssl x509 command is piped to grep DNS to output the DNS data only.

References


comments powered by Disqus