How to renew Let's Encrypt?

Yomi_Tsuku · September 1, 2017, 1:41am

I got the warning email but don’t know how to renew it.

robbyoconnor · September 1, 2017, 2:02am

There should be a cronjob that does it automatically for you.

Also:

gigperformer · September 25, 2018, 9:35pm

Our forum is down (i.e. blocked by Safari) due to this certificate having expired today. What’s the cron job? Can I run it manually?

robbyoconnor · November 20, 2018, 11:37pm

It should happen automatically for you if you are running via Docker. I have never needed to manually renew mine.

gigperformer · November 21, 2018, 12:29am

Thanks, Robby. The problem was due to the fact that I was blocking port 80 (seemed like a good idea from a security perspective) and didn’t realize that LetsEncrypt used port 80

supermathie · November 21, 2018, 5:19pm

Yep - outright blocking port 80 is usually a bad idea:

people trying to get to the http side won’t be able to connect and thus won’t get the redirect to https
let’s encrypt uses http to verify by necessity

Stephen · November 21, 2018, 5:23pm

Let’s Encrypt needs to expose itself on :80 because verification of the DNS name is done via HTTP.

You want to leave it open anyhow as Discourse will take care of any redirection from :80 to 443 for clients who try to visit the insecure URL. The same instance of nginx is listening on :80 and :443 so there’s nothing to be gained by shutting down that port, and as you’ve already learned there’s quite a lot to lose.

gigperformer · November 21, 2018, 6:28pm

Ah yes, if I’d known then what I had to later go off and learn to figure out why it didn’t work…

The thing is, I wasn’t using port 443 either. Externally, I was using a port in the high 10,000s and my firewall was redirecting those incoming requests to port 443.

Sigh

Stephen · November 21, 2018, 6:34pm

That’s always going to be the risk when you deviate from the recommended configuration.

There’s a lot of knowledge here on meta though - maybe next time you want to make those kinds of changes you can run them by us first and we can help you understand any implications and the safest way to make them.

One added benefit to the above is that anyone searching to do the same down the line will also see the advice when(if) they search.

robbyoconnor · November 24, 2018, 8:56pm

You should keep port 80 open and do a redirect to HTTPS. This is how most of the web handles things.

gigperformer · December 11, 2018, 3:19am

Thank you - but in general I don’t want to keep port 80 open — as I mentioned above, I don’t even expose port 443 publicly.
I guess I’ll just have to temporarily open it every few months, manually update LetsEncrypt and then close it again or else use the DNS challenge.

Stephen · December 12, 2018, 12:50am

The only difference between 80 and 443 is the certificate. Unless you don’t trust nginx it’s fine to leave open.

joao_pimentel_ferrei · January 24, 2020, 2:12pm

which cronjob do you refer to? Should I add it manually or it was done when I installed discourse? Which command should I add to cronjob? Cause certbot renew is failing on the discourse certificate

sedget · January 20, 2021, 9:10am

Got the same problem here, my certificate has expired on december 20

Topic		Replies	Views
Set up HTTPS support with Let's Encrypt sysadmin how-to	2	104851	February 25, 2024
HTTPS : issue while trying to set up SSL certification installation	25	1976	September 30, 2019
Trying to use Let's Encrypt + Cloudflare support	20	3000	March 4, 2019
SSL LetsEncrypt renewal not working (due to an extra reverse proxy on the outside) installation	9	895	October 16, 2020
Let's Encrypt cert renewals (suddenly) failing installation	27	2328	January 27, 2022

How to renew Let's Encrypt?

Related Topics