Dev Notes

Software Development Resources by David Egan.

Reorganise Letsencrypt Certificates

SSL, Sysadmin
David Egan

This article refers to a Letsencrypt client as installed by sudo apt-get install python-letsencrypt-apache. Up until quite recently, this was the recommended Letsencrypt installation for Ubuntu Xenial 16.04.

Insurance: Make a Backup!

Backup the entire /etc/letsencrypt directory - recursively copy the entire letsencrypt directory:

cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

If you mess up during the process of certificate reorganisation, revert to the original and save the broken state for reference:

# Recover from broken state
mv /etc/letsencrypt /etc/letsencrypt.broken && mv /etc/letsencrypt.backup/ /etc/letsencrypt

Certificate Lineage

Determine certificate lineages by listing out the domains associated with each certificate - look in subdirectories under /etc/letsencrypt/live:

openssl x509 -in /etc/letsencrypt/live/ -text -noout | grep DNS
openssl x509 -in /etc/letsencrypt/live/ -text -noout | grep DNS

See additional information for a breakdown of this command.

Remove a Superfluous Certificate

We determine that the cert is superfluous, and holds references to invalid domains. The cert is not being used, but generates ugly error messages during the renewal dry-run.

Be careful - make sure the cert is not being referenced in any Virtual Host directives.

If you are sure it’s safe, remove it and run the renewal process:

rm -rf /etc/letsencrypt/live/
rm -rf /etc/letsencrypt/archive/
rm /etc/letsencrypt/renewal/

# Attempt a dry-run renewal first if necessary
sudo letsencrypt renew --dry-run --agree-tos

# Run the renewal
sudo letsencrypt renew

Reissue Certificate

I haven’t attempted this - but running the following should install a new certificate:

# CAUTION: Not tested
sudo letsencrypt certonly --webroot-path /var/www/html -d -d

If your virtual hosts for the specified domains are referencing certs like so:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

…the new cert should work.

Additional Information

OpenSSL is an open source toolkit for the SSL and TLS network protocols and related cryptography standards, accessed with the - openssl utility. The x509 command provides utilities for displaying, converting and signing certificates. Summary of the above command:

  • -in filename: the input filename to read from (standard input if not specified)
  • -text: print the certificate in text form
  • -noout: prevent output of the encoded version of the request

The text form output includes full details - public key, signature algorithms, issuer & subject names, serial number, extensions present, any trust settings and the DNS records covered by the certificate. In the context of this article, we’re only interested in the certificate lineage/associated domains - so the openssl x509 command is piped to grep DNS to output the DNS data only.


comments powered by Disqus