DEV Community

C I R L O R M ⚑
C I R L O R M ⚑

Posted on

Renew SSL certifications

Renewing an expired SSL certificate on an AWS EC2 instance using Certbot involves a few straightforward steps. This guide will walk you through the process to ensure your website remains secure and accessible.

Prerequisites:

  • An AWS EC2 instance running your web application.
  • Certbot installed on your EC2 instance.
  • Administrative (sudo) access to the EC2 instance.
  • Your domain is correctly pointed to your EC2 instance's public IP address.
  • Ports 80 (HTTP) and 443 (HTTPS) are open in your security groups.

Steps to Renew the SSL Certificate:


1. Connect to Your EC2 Instance

Use SSH to connect to your EC2 instance.

ssh -i /path/to/your/private-key.pem ec2-user@your-ec2-instance-public-dns

Enter fullscreen mode Exit fullscreen mode

Replace /path/to/your/private-key.pem with the path to your SSH key and ec2-user@your-ec2-instance-public-dns with your EC2 instance's user and public DNS.


2. Check Certbot Installation

Ensure that Certbot is installed on your system.

certbot --version

Enter fullscreen mode Exit fullscreen mode

If Certbot is not installed, install it using the following commands based on your OS:

For Ubuntu/Debian:

sudo apt update
sudo apt install certbot

Enter fullscreen mode Exit fullscreen mode

For Amazon Linux/CentOS:

sudo yum install certbot

Enter fullscreen mode Exit fullscreen mode

3. Stop Your Web Server (If Necessary)

Stopping your web server may be necessary if Certbot needs to bind to ports 80 or 443 directly.

For Apache:

sudo systemctl stop apache2

Enter fullscreen mode Exit fullscreen mode

For Nginx:

sudo systemctl stop nginx

Enter fullscreen mode Exit fullscreen mode

4. Renew the SSL Certificate

Attempt to renew all certificates managed by Certbot.

sudo certbot renew

Enter fullscreen mode Exit fullscreen mode

Notes:

  • Certbot automatically checks for certificates that are due for renewal and attempts to renew them.
  • If your certificate has already expired, you may need to force renewal or obtain a new certificate.

Force Renewal:

sudo certbot renew --force-renewal

Enter fullscreen mode Exit fullscreen mode

Obtain a New Certificate (if renewal fails):
Replace yourdomain.com with your actual domain name.

For Apache:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Enter fullscreen mode Exit fullscreen mode

For Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Enter fullscreen mode Exit fullscreen mode

Using Standalone Mode (if no web server is running):

sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

Enter fullscreen mode Exit fullscreen mode

5. Start Your Web Server

After renewal, restart your web server to apply the new certificate.

For Apache:

sudo systemctl start apache2

Enter fullscreen mode Exit fullscreen mode

For Nginx:

sudo systemctl start nginx

Enter fullscreen mode Exit fullscreen mode

6. Verify the Renewal

Check that your SSL certificate has been renewed successfully by accessing your website via HTTPS and inspecting the certificate details in your web browser.

Alternatively, use online tools like:


7. Set Up Automatic Renewal (Optional but Recommended)

Certbot can automatically renew certificates before they expire. This is often set up by default, but you can ensure it's configured correctly.

Check existing cron jobs:

sudo crontab -l

Enter fullscreen mode Exit fullscreen mode

If not present, add a cron job:

sudo crontab -e

Enter fullscreen mode Exit fullscreen mode

Add the following line to run renewal twice daily:

0 0,12 * * * /usr/bin/certbot renew --quiet

Enter fullscreen mode Exit fullscreen mode

This schedules the renewal process to run at midnight and noon every day.


8. Troubleshooting Common Issues

1. Port Conflicts:

  • Ensure no other service is occupying ports 80 or 443 during the renewal process.

2. DNS Issues:

  • Verify that your domain's DNS records correctly point to your EC2 instance's IP address.

3. Firewall Restrictions:

  • Confirm that your security groups allow inbound traffic on ports 80 and 443.

4. Permission Errors:

  • Run Certbot commands with sudo to ensure proper permissions.

5. Rate Limits:

  • Let's Encrypt enforces rate limits. If you hit these limits, you'll need to wait before attempting again or use the staging server for testing:

    sudo certbot renew --staging
    
    

Conclusion:
By following these steps, you should successfully renew your expired SSL certificate on your AWS EC2 instance using Certbot. Regularly monitor your certificates and ensure automatic renewals are functioning to maintain uninterrupted secure access to your services.

References:

Top comments (1)

Collapse
 
devops_descent profile image
DevOps Descent

Certbot recommends to install via snap now.
The official apt repository has outdated package.
Certbot does not require us to set-up any cron at all.πŸ‘€